Collaborate Disseminate
Currently, there are two common auth flows i know:
Resource Owner Password Flow
Authentication Code Flow + PKCE (didn’t mention other, since this one is more robust within redirect-based)
This theme was discussed long and across, but for… Continue reading Modern security flow/process for trusted Mobile and SPA apps with self-hosted OIDC
The big picture is:
an android application which authenticate user with an external openid provider (such as azure AD)
a Java EE server which expose rest endpoints securized with the validation of the jwt token generated by the openid pr… Continue reading How to encrypt REST body with openid connect OIDC
I have a static react app which users login via an Okta SPA app.
The app receives a JWT, which it is stored in the browser, and passed to the backend API via Authentication header on every request.
The API using Azure API Management. They… Continue reading Does "validating" a JWT token from prove authentication with OpenId?
Is there a way to list which websites authenticate by requiring that my browser sign into Gmail? It would probably be a Gmail or Google Account feature if it exists. I am not asking to list which websites support third-party (Gmail) authen… Continue reading list websites requiring that my browser is signed into Gmail [migrated]
Applications built for MSAL 1.0 and MSAL 2.0 have a default application URI of MSAL://GUIDHere/AppName
This is in contrast with what other IDP’s are doing.
Can anyone explain the benefits or drawbacks of this format? (sometimes a "fea… Continue reading What is Threat Profile is Microsoft addressing with the MSAL URI format?
Should we include the "at_hash" (access token hash) claim in the id token when the response type is "code id_token"? According to this article by Takahiko Kawasaki, when the response type is "code id_token" an… Continue reading Should we include the "at_hash" (access token hash) claim in the id token of the authorization response when the response type is "code id_token"?
We are evaluating OpenID for our needs, and I am having trouble finding concise answers to a few questions. We have a current user database with all pertinent info, including hashing mechanisms for passwords. The current app uses this data… Continue reading Is it possible to customize the user database and authentication methods for OpenID? [closed]
Is normal that a web site which uses OpenID as SSO sends all the cookie without samesite header?
Is this required in order to make OpenID work correctly?
I am currently working on implementing a proof of concept for ADFS (2019) (which I managed succesfully) and Azure AD with renewing the cookie / id_token by doing a refresh_token call in the backend of the web application. We currently expe… Continue reading OpenId Connect Authorization Code Flow, using refresh token to renew id_token? And subsequently issueing a new cookie
Azure Active Directory has implemented Continuous Access Evaluation (CAE), a technology to allow the directory to inform applications when security events occur. It’s then up to the applications to decide what to do. Exchange Online and Teams are the first Office 365 applications to benefit and updated clients are now being rolled out to support CAE.
The post Modern Authentication Becomes More Intelligent Inside Office 365 appeared first on Petri.
Continue reading Modern Authentication Becomes More Intelligent Inside Office 365