Collaborate Disseminate
I am tasked with moving away from implicit flow in a SPA. It is a basic solution consisting of a react SPA and a .net API, on the same domain. This web app is a case management solution that deals with medical data, running in a private ne… Continue reading Session/cookie expire time, match access token or refresh token from AD?
There is really not that great information on what the best practices are for auth in SPA/API solutions. Most of them just say use JWTs and auth code flow in the SPA. There is a ton of information regarding auth in a SPA where you are requ… Continue reading Best practises regarding authentication in SPA/API solutions with SSO
This CISA-NSA guidance reveals concerning gaps and deficits in the multifactor authentication and Single Sign-On industry and calls for vendors to make investments and take additional steps. Continue reading New CISA and NSA Identity and Access Management Guidance Puts Vendors on Notice
I want to create a website with password login and social login (e.g. Google only.)
For password login, first I will send a verification email.
I want to prevent pre-hijacking.
For those who do not know pre-hijacking: https://msrc-blog.mic… Continue reading Pre-Hijacking Mitigation
This is a slightly tough one to explain with my current experience, lacking mainstream terminology. But here goes.
I have an encryption/security model whereby I do not store users plaintext passwords. It’s pretty simple actually:
1 – on si… Continue reading How can a users plaintext password be acquired while using biometricID with the following security model?
I have a site that have SSO resolved in a way of opening identity provider in iframe to access it. I have CSP to ‘self’ but it didn’t work, adding the implicit url also fails. SSO does not work and I keep getting this confusing message:
R… Continue reading Refused to frame url despite having it in frame-ancestors [migrated]
I want to accomplish the following:
Having a web application or mobile app authenticating users using openid connect.
Having a REST Api authenticated using openid connect using the same user as for point 1.
The user should not have to con… Continue reading OpenID Connect for authenticating a web-api
Similar Question: Securing a multi-tenant API with SSO and different roles per tenant
I’ll provide an example
This is the top level domain:
umantis.com
This is the syntax for a tenant/subdomain:
recruitingapp-xxx.umantis.com
Why don’t th… Continue reading Is there any advantage of per-tenant password storing to cross-tenant SSO if at all? [closed]
Brand A has multiple, separate websites – these websites reference each other as part of the brand family, but do not have a shared single sign on system.
Instead, each website has their own login and account creation page – on which, ther… Continue reading Shared credentials logins between separate websites and trust issues
I am not questioning the security of the technical implementations of SSO, but the training of users to follow a potentially insecure access pattern.
Background
If you for example roll out SSO (single-sign-on) provider Okta in your organis… Continue reading Is single-sign-on making phishing attacks easier?