Collaborate Disseminate
Suppose an attacker collects a large number of initial sequence numbers sent by the server. Can the
attacker cause the server to create many fully open connections by sending ACKs with those initial
sequence numbers? Why?
Continue reading Leaving half open or full open connection having SYN cookie
Suppose an attacker knows that a target host uses SYN cookies. Can the attacker create half-open or fully open connections by simply sending an ACK packet to the target? Why or why not?
Continue reading Creating half open or full open connection in presence of SYN cookie
What’s the best practice to authenticate a user in a browser app (spa: vuejs, angular, react, …) that has a backend ?
I’ve seen some recommend that the front handles the authentication (with pkce), and others recommend that the back hand… Continue reading OIDC: SPA best practices
We have a microservice backend system & we expose APIs for our customers to use. We are now developing our Authentication system with our identity provider service.
We have a customer(a company), their users using their service via the… Continue reading 3rd party mobile app access our service via our APIs
Is oauth2 designed to handle single-sign-on between a desktop application and a webapp?
The scenario looks like this:
The desktop app has a username/password login
After a user is authenticated in the desktop app, there are links to a bro… Continue reading Using oauth2 to implement SSO between a desktop application and a web application
I am trying to assess the security implications for a session handover between an app and a website in the same company ecosystem.
The Setup
Mobile Application A and Website B use the same company OpenID Connect (OIDC) provider to login th… Continue reading Is passing an IDToken OK for seamless handover from app to website?
I am looking to create a brand new authentication service that follows the OpenId connect protocol. I would like to use a username/password combination for the authentication and the authorization grant, I’m curious what the downsides are … Continue reading Using a spa login page for authentication in a openId connect servic
Suppose I have a web application that uses OpenID Connect to enable users to log in with one of several 3rd party identity providers (e.g., "log in with Google", "log in with Facebook"). I do not associate the 3rd party… Continue reading HTTP Bearer authentication with multiple identity providers?
It seems like signing ID Tokens invites misuse.
As I understand it, OIDC ID tokens should not be used as bearer tokens for authorizing API access. Instead, we should use access tokens.
However, the ID token is still signed, and in the case… Continue reading What’s the purpose of signing OIDC ID Tokens if they shouldn’t be used as bearer tokens
Describe the bug
I am using Microsoft.AspNetCore.Authentication.OpenIdConnect middleware in my application for openidcocnnect protocol. When Client application get redirected two persistent cookies are created AspNetCore.OpenIdConnect.Nonc… Continue reading "AspNetCore.OpenIdConnect.Nonce" and "AspNetCore.Correlation" cookies should be Session cookies [closed]