Collaborate Disseminate
I am evaluating JWT as authentication mechanism for an API. The idea is to use JWT as API key.
One thing I want to implement is revoking API keys. Since revoking involves a state change in my backend, I am losing the main advantage of JWT,… Continue reading Authentication using JWT signature, without header and payload
Tabletop games and cardboard tokens go hand-in-hand for a good reason: they are economical and effective. However, their tactile attributes leave a little to be desired. There’s something really great …read more Continue reading Cardboard Game Tokens Become Shiny Click-Clacks With DIY Treatment
There are sound reasons not to put any secrets, PII or other sensitive information into the logs on the server side (see OWASP ASVS V7).
But should the same rule apply on the client side? Is there a sound reason we should prohibit devs fro… Continue reading Logging secrets in the user agent (browser)
I build a widget product and my clients consume it via iframes to show it on their websites:
<iframe style=’width:100%; height: 100%;border:none;"’ src=’path/myhtmlproduct.html’></iframe>
myhtmlproduct.html is calling som… Continue reading I have a widget used by clients as iframes, what security tests should I check for? [closed]
As I understand it, OAuth is the natural evolution of authentication protocols
I understand in a general way that evolution is as follows:
basic authentication
cookies
tokens, at this point you want to separate the front from the back.
OA… Continue reading Why do big sites use cookies and not OpenID connect?
I’m asking myself what are the benefits of refresh token over saving the user password (securely) on user device and perform a transparent login (background) with its credentials to get a fresh new access token?
Note: you would have to “id… Continue reading Auto-login (password stored on device) vs refresh token
https://dev.gnupg.org/T6097
I am trying to get GnuPG to work with my SmartCard-HSM 4K on Windows, using the GP4Win bundle.
Kleopatra doesn’t recognise the SC-HSM 4K at all, even though, it does recognise the YubiKey 5 NFC in both PIV and O… Continue reading GnuPG: gpa.exe hangs when I click on "smartcards" AND scdaemon cannot recognise SC-HSM 4K
What is the difference between the confirmation email token, and the access token?
If possible can you provide the official name for the email confirmation token?
Continue reading Whats the difference between confirmation email token and Access token? [closed]
I’m working for a company and I saw their authentication mechanism and wasn’t sure if it’s good.
When the user first logs in, the credentials will be sent to the server and the server will generate a Bearer Token and response, then on the … Continue reading Bearer Token and session mangement
As far as I know, JWT tokens are used for implementing ‘stateless server’. But as I try to apply Jwt to my website that uses sessions and cookies for authentication, I found that most people store refresh tokens in their db and compare the… Continue reading Why do I have to store a refresh token in db