Issue with Single Sign-On (SSO) Implementation for WPF application with ADFS/MSAL

I’m encountering an issue with the implementation of Single Sign-On (SSO) in our WPF application, and I’d appreciate some guidance or insights from the community.
Here’s a breakdown of our setup:

We have a main WPF application that utiliz… Continue reading Issue with Single Sign-On (SSO) Implementation for WPF application with ADFS/MSAL

Session/cookie expire time, match access token or refresh token from AD?

I am tasked with moving away from implicit flow in a SPA. It is a basic solution consisting of a react SPA and a .net API, on the same domain. This web app is a case management solution that deals with medical data, running in a private ne… Continue reading Session/cookie expire time, match access token or refresh token from AD?

Best practises regarding authentication in SPA/API solutions with SSO

There is really not that great information on what the best practices are for auth in SPA/API solutions. Most of them just say use JWTs and auth code flow in the SPA. There is a ton of information regarding auth in a SPA where you are requ… Continue reading Best practises regarding authentication in SPA/API solutions with SSO

Progressive profiling with auth0: Security when communicating with auth0 actions

I currently try to implement progressive profiling with auth0 according to: https://auth0.com/blog/using-redirect-with-actions-to-gather-user-info-and-increase-conversions/ to gather first name and last name of a user after a succesful reg… Continue reading Progressive profiling with auth0: Security when communicating with auth0 actions

Is storing access token in private data, refresh token in http-only cookie safe?

Backend: Django / Django Rest Framework, would be hosted at GCP k8s
Frontend: Angular, would be hosted at some CDN e.g Vercel
Authentication: JWT (https://github.com/jazzband/djangorestframework-simplejwt)

The frontend and backend would … Continue reading Is storing access token in private data, refresh token in http-only cookie safe?

CSP for Single Page App: Use client-side nonce for securing iframe content

Goal I’d like to tighten my Content Security Policy.
Situation
I have a single page react application (= All code and styles are bundled together into a bundle.js file). The file is simply placed on a file storage server (Concrete: S3 buck… Continue reading CSP for Single Page App: Use client-side nonce for securing iframe content