Collaborate Disseminate
I am currently adding single sign-on functionality between my application and an electronic health record (EHR) system. The SSO is done using the OpenID Connect authorization code flow, but unlike a typical OIDC sign-in (i.e. signing in wi… Continue reading Is it safe to pass an OpenID Connect ID token to my back-end API for verification?
Say I have three components in a system:
An identity service, hosted at identity.mydomain.com
A single page application, served from app.mydomain.com
An API, protected by requiring a bearer token signed by identity.mydomain.com
In the … Continue reading Taking advantage of subdomains for refresh token rotation in SPAs
Currently, my webserver support
TLS 1.0
TLS 1.1
TLS 1.2
One of your single sign-on clients will move to TLS 1.2 on 1st April 2020. Can I remove TLS 1.0 and TLS 1.1 now? Or I need to wait till this client move to TLS 1.2, then onl… Continue reading Should I disable TLS 1.0 and TLS 1.1 support on my web servers
As more companies transition to the cloud, their sensitive corporate- and compliance-related data are no longer stored and used behind multiple layers of perimeter security. Instead, security teams are faced with multiple cloud services, each with its… Continue reading The Security Challenges of the Cloud
Mobile app developers who care about security will be excited to implement Sign in with Apple and see how this balance of user experience, privacy and security will propel the industry forward. The feature isn’t just a way for Apple to keep more users… Continue reading Why Sign in with Apple Is a Good Thing
Over the last few years, multifactor authentication (MFA) has come a long way. In the past, MFA required that you carry a hard token on you at all times, but now, it has become a simple, one-touch endeavor. However, many still perceive MFA as a cumber… Continue reading Making the Move to Multifactor Authentication
We’ve described cyber criminals as opportunists many times. They’re adept at leveraging big events―from natural disasters to holidays―to their advantage. Like it or not, tax season is one such event that shows up on our calendar… Continue reading Time to Tighten Up Cybersecurity to Fight Tax Fraud
With more than 5 billion mobile phones on the market around the globe, mobile security is more important than ever. And the recent announcement from Apple around its Sign in with Apple guidelines brings privacy even more into the spotlight. It’s no d… Continue reading What Is Sign in with Apple’s Impact on Development?
I am having an http (IIS) resource server which uses Kerberos 5 for authentication. Every time I reach the page I need to key in my username and password but if I have done kinit in my machine (Windows 10) and have configured… Continue reading Kerberos with HTTP Resource Server Login
I am considering the following design for application with client-side encryption
Let’ say we have web application that manages/stores sensitive business data of users, and we do not want to know what data is in the backend,… Continue reading encrypt/decrypt arbitrary data provided in custom attribute by IdP in SSO scenario