Collaborate Disseminate
Say I had a centralized OAuth 2 authentication server, a Single Page Application (SPA) in an electron app, and a third-party server. The user launches this SPA, goes through the PKCE flow to obtain an access & refresh token, and is now… Continue reading Using OAuth SPA app to provide third party with access token
I am trying to find the best OAuth2 mechanism for our VueJS Single Page Application (SPA) hosted on our own backend. From my research, Authorization Code should be sufficient, as long as the redirect URI happens on the backend. If it happe… Continue reading Difference between Form Post Response and Authorization Code
So I’m building an application that needs authentication, I’m wondering if there’s an security concerns with using a persistent httpOnly cookie to store user authentication with a SPA? (only 1 server. OAuth is not an option) I could set th… Continue reading Using a persistent httpOnly cookie for authentication? (SPA)
I’ve spent a while reading about this, and I know it’s a common topic, but I was hoping to get some feedback on my authentication approach.
I have an SPA. It needs to authenticate to 1) my application backend and 2) some APIs on AWS. I’m… Continue reading In memory JWT for API auth with HTTP-only cookie for sessions?
I have a server, the server has the following components on it:
An Apache Server, serving my webapp,
An API,
MongoDB
When the Webapp loads, it makes an API call to graph some data. If that API is located on the same server as the DB, t… Continue reading Retrieving data from MongoDB via API
While building a javascript SPA (single page application) I need to display some pages differently based on if the user is logged in or not.
Auth is handled by JWT which is served via httpOnly cookie and secure headers.
That leaves cook… Continue reading jwt served via httponly cookie with someway to find out is-logged-in [migrated]
I’m a security newb trying to find out how to secure my SPAs, and am totally lost in the forest of RFCs, BCPs, drafts and blog posts. If possible, I’d like to serve my SPAs statically from a cdn. At first I was uplifted by this article fro… Continue reading Auth code grant /w PKCE for SPAs
I’ve been building a web app (rails api + react SPA) for learning / fun and have been researching authentication. The most commonly recommended approach for authenticating SPAs that I have read is to put the auth token (such … Continue reading Are the trade offs for putting an auth token in an http-only cookie for an SPA worth it?
We are trying to implement the SAML 2.0 protocol and I stumbled upon a problem related to passing the token from the API to the client SPA application.
The authentication flow goes like this: the client is redirected to the IdP applicatio… Continue reading SAML Passing a JWT token from the API to the SPA application
On my Single Page App I am using MSAL.js to authenticate users and to also extract the groups they belong to by using Microsoft Graph endpoints. I save to a variable the Specific groups the user belongs to. According to the c… Continue reading Can an end-user modify conditional rendering in React?