Collaborate Disseminate
I’ve recently migrated my application to use external provider for login so that my application doesn’t have to deal with auth and storing user credentials. For this I’m using OpenID Connect (OIDC) over OAuth2 and so the auth flow is quite… Continue reading OIDC/OAuth2 id_token and it’s usage in the client application
My resource server exposes an API that expects JWT access tokens obtained using OpenID Connect.
So far the validation in the resource server side consisted on using the Realm public key to validate the JWT access token signature and check… Continue reading Should OIDC introspection endpoint be used to validate the JWT access token?
We have had a security consultant make a recommendantion of an approach that does not follow the IEFF best-practice document (https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-04#section-6). I am looking for reasons why this … Continue reading Authorization Code Grant Flow for web-app with backend on separate domain (same origin)
I’m looking to implement Sign in with Apple on the mobile device. We have a backend api that expects to receive the id_token (once we get it from Apple). I had a question about using nonce in this flow.
From my understanding nonce are use… Continue reading Apple sign in on mobile (IOS/Android) nonce usage
In OpenID, the client needs to support OpenID Identity provider and the client (application) needs to register with OpenID Identity provider. This is similar to the service provider in SAML registering with SAML Identity prov… Continue reading Differences between SAML and OpenID Connect
I’m trying to implement a simple protocol to authenticate users and authorize them to access a certain web page/resource via a login form.
Please note that this is just something to use on my own and that it’s just to get th… Continue reading implementing an authentication mechanism for understanding the basics of client authetication
So I have looked at the following client library, implementing the OpenID Connect spec:
https://github.com/IdentityModel/oidc-client-js
It works as expected, and I can now allow users to login with Google, great.
This libra… Continue reading oidc authentication webapp REST api
Introduction:
I am currently implementing acr_values, acr & amr principles on a Open ID Provider server.
The claim amr (described in the OpenID RFC 1.0) has no standard clearly defined in this same RFC, but I would like… Continue reading OpenID Authentication Method Reference Name for a code sent via email
I am looking at implementing an Authorization Code with PKCE grant on a mobile app to communicate to an API. What I am curious about is what applications currently do with the OpenID token that is granted to the user via Goo… Continue reading Do websites grant their own JWT token after successful OpenID/OAuth2 login?
I was just reading through the “Token sidejacking” of the JWT Cheat Sheet of OWASP (https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.html#token-sidejacking)
At the moment I don’t understand … Continue reading Usefulness of token sidejacking prevention mentioned by OWASP JWT Cheat Sheet