Collaborate Disseminate
Microsoft is asking security researchers to look for and report technical vulnerabilities affecting its identity services and OpenID standards implementations, and is offering bug bounties that can reach as high as $100,000. “Microsoft has invest… Continue reading Microsoft offers bug bounties for holes in its identity services
A high-quality multi-factor authentication bypass submission can win a bounty hunter up to $100,000. Continue reading Microsoft Bounty Program Offers Payouts for Identity Service Bugs
According to the spec, OpenID Connect uses nonce as the registered claim name, but RFC 7519 already includes a registered claim named jti for this same purpose.
Was this an oversight, or was there something wrong with the wa… Continue reading Why does OpenID Connect ("OIDC") use a `nonce` claim instead of the `jti` registered claim
Note: I fully acknowledge there may be something I’m missing in the picture, which is part of my reason for posting. I’d like to get the opinion of people more experienced than I am on authN/Z related implementations.
Here’s where I am st… Continue reading Are JWT refresh tokens in browser really that bad?
I am implementing a customer-IAM solution using WSO2 Identity Server 4.5.1. One of the (few) applications integrating with me via Open ID connect has discovered an unexpected behaviour, and I need some help resolving if this … Continue reading Open ID Connect: Second ID-Token only has "sub" attribute
I have been made aware of an application, at a client, that claims to use OIDC to authenticate users. This is however done via a non-standard flow that I find hard to assess from a security standpoint.
It starts with a frontend SPA initia… Continue reading Non-standard OIDC flow: How safe is this?
A few years ago, OpenID was nearly everywhere, with support from what are currently the major OAuth providers — Google, Facebook, and even Yahoo all provided OpenID authentication.
Since then though, pseudo-authentication u… Continue reading Why was pseudo-authentication using OAuth more successful than actual authentication using OpenID?
A lot of services today still recommend the implicit flow for an OpenID Connect/Oauth2 token exchange when developing Single-Page Apps. (See Okta – now recommends PKCE w/ implicit fallback, Google, Auth0)
Some newer guidance out there poi… Continue reading Why isn’t PKCE encouraged for Single-Page Apps?
Say an attacker had access to a list of OpenID tokens, what could the attacker leverage with that to access a system?
Would they need to have another piece of information, MITM? Or can they just use that to authenticate.
… Continue reading What can an attacker do with an OpenID token
I have an interesting use case where users need to authenticate to applications running in environments that might not have internet access or even access to an authentication server. Administrators need to be able to grant a… Continue reading Authentication providers for applications with no internet connection