Collaborate Disseminate
We are trying to arrive at a solution for an enterprise app
Different Users – have different Authentiation Methods
User Type 1 – Password + Captcha
User type 2 – Biometric [Not device-based] + Password
User type 3 – Biometric [Device-bas… Continue reading OpenId with Biometrics
I have an application that stores the id_token in the localStorage of the browser.
Since there is no CSP and Web Storage does not have the same protections such as cookies (HttpOnly, SameSite) this "feels wrong" to me.
Unfortunat… Continue reading What can attacker do with OpenID Connect id_token?
I have a native windows app that can connect to multiple external API’s using OAuth (Authorization Code + PKCE). I store the refresh tokens locally encrypted with the Windows Data Protection Api.
Now I’m running into the situation where I … Continue reading Native client OAuth without API supporting PKCE
Currently, there are two common auth flows i know:
Resource Owner Password Flow
Authentication Code Flow + PKCE (didn’t mention other, since this one is more robust within redirect-based)
This theme was discussed long and across, but for… Continue reading Modern security flow/process for trusted Mobile and SPA apps with self-hosted OIDC
I have a microservice system with an OpenId connect Identity Provider, implemented with IdentityServer4.
I have one special (very generic) service which needs to be able to communicate with all other services, even with services which will… Continue reading OpenId connect: Grant all available scopes in ClientCredentials flow
Many popular reverse proxies (tomcat, nginx, …) seem to handle OpenID Connect and act as a Relying Party to hide the authentication complexity to all applications behind the reverse proxy, which just receive http headers containing user … Continue reading OpenID Connect with or without reverse proxy?
My understanding is that client impersonation cannot be prevented for Native Desktop Apps. If all standard controls: State, PKCE, Redirect_URI confirmation etc are in place, to prevent auth_code leakage or injection. Then the only way an a… Continue reading A Native Desktop App using PKCE – Can an id_token be consider valid authentication when passed to another protected server resource?
The big picture is:
an android application which authenticate user with an external openid provider (such as azure AD)
a Java EE server which expose rest endpoints securized with the validation of the jwt token generated by the openid pr… Continue reading How to encrypt REST body with openid connect OIDC
Looking at this question Openid connect nonce replay attack and the answer by @benbotto. I understand the replay attack in implicit flow but unable to understand it for auth code flow. Let’s say an attacker intercepts the authentication re… Continue reading Openid nonce replay attack in auth code flow
I have a static react app which users login via an Okta SPA app.
The app receives a JWT, which it is stored in the browser, and passed to the backend API via Authentication header on every request.
The API using Azure API Management. They… Continue reading Does "validating" a JWT token from prove authentication with OpenId?