An access token is an object encapsulating the security identity of a process or thread. A token is used to make security decisions and to store tamper-proof information about some system entity.
Questions tagged [access-token]
28 questions
3
votes
1 answer
PAT vs. SSH - Why Bother with SSH?
Are there any advantages to using SSH keys vs. a PAT when interacting with a site like Github?
Github claims SSH keys are a way to not have to enter your username + password (personal access token) with every interaction, however, my Keychain…
stk1234
- 142
- 5
3
votes
3 answers
OAuth2 - using Id Token for authentication to a backend service
Many resources on the internet state that you should use Access Token and not Id Token to authenticate to an API, but do not provide explicit reasons why. Are there any real drawbacks to use an Id Token for authentication in a case when we control…
eddyP23
- 239
- 2
- 11
2
votes
3 answers
Detecting session sharing with OAuth2
In the OAuth2 Implict Grant flow, the access token is added to the URL fragment as part of the redirect from the Authorization Server to the Relying Party. Since this access token is made visible to the end-user in the Callback URL, this URL could…
Rifa Achrinza
- 125
- 4
2
votes
0 answers
Is it a good practice to store both the Google Oauth2 access token and the refresh token in the database un hashed?
I recently came across a source code where they save a user's refresh token and the access token upon sign in through Google into the database. This is done to access the Google APIs later on through the server.
My question is, isn't this insecure?…
THpubs
- 121
- 3
1
vote
0 answers
Web password reset steps
I'm trying to implement authentication for users on a web page using JWT tokens and, so far, I can create users and authorize them. I'm now trying to write the password reset functionality and I think I may be finished (per any examples and research…
mirkaim
- 11
- 2
1
vote
1 answer
Reset password parameters to send
I'm building a web app in Node.js, Express, and Mongoose. I'm worried about security and optimization issues on what to send in the email link.
I see many of them sending: /:userId/:token, but if I would insert in the link only the token it wouldn't…
anto12345
- 11
- 1
1
vote
1 answer
Security requirements for public API keys
I need to provide security requirements for public API keys that will be generated by a web application and then used in automation scripts by clients.
The scripts will be run on the endpoints several times a day via a cronjob.
The risk of a key…
uvzz
- 11
- 1
1
vote
1 answer
When generating user session tokens, should i bother checking for a duplicate?
In a program i am writing, i use session authentication tokens that we give back to a user to have them hand in with their requests.
This is working very well but this question is about the generated token and chance of collision.
Here is the PHP…
Necro
- 125
- 4
1
vote
0 answers
MFA authentication to O365 - remote workers users without mobile phone. Which secure solution?
We are deploying O365 in my company (Teams, Sharepoint, Exchange online, Office suite). In order to connect outside our network (remote workers especially during this pandemic), we've implemented MFA with MS Authenticator and OTP with SMS.
Some…
Will0093
- 11
- 2
1
vote
2 answers
Is access token confidentiality also ensured in the Authorization Code grant type in Oauth2.0
One of the really nice articles I came across while trying to understand the various grant types in Oauth2.0 was this. The author really has done a good job at explaining quite clearly what various grant types in an Oauth2.0 flow look like. I also…
qre0ct
- 1,492
- 3
- 19
- 30
1
vote
2 answers
What is a reasonable timeframe that should be defined and enforced for access token expiry to reduce the risk of unauthorised access?
What is a reasonable timeframe that should be defined and enforced for access token expiry to reduce
the risk of unauthorized access?
Nathan Aw
- 1
- 7
- 12
0
votes
1 answer
Securely loading private tokens on a local machine
When doing local development, I have to export a token needed for downloading dependencies from a private repository. For example:
export NPM_TOKEN=token_value
I want to make sure that this token is not stored in the shell history (that's an easy…
0
votes
0 answers
OAuth1 tokens: Is consumerToken and ConsumerSecret considered a secret value
I am using Oauth1 to connect to NetSuite Restlet API for multiple customers.
To do so I make use of these values to authenticate and sign the request
API URL (unique per customer)
Realm (unique per customer)
ConsumerToken (64 char hexadecimal…
David
- 119
- 3
0
votes
0 answers
Auto-login (password stored on device) vs refresh token
I’m asking myself what are the benefits of refresh token over saving the user password (securely) on user device and perform a transparent login (background) with its credentials to get a fresh new access token?
Note: you would have to “identify”…
eightyfive
- 101
0
votes
1 answer
Is it acceptable to send an access token back to a browser client?
I am currently following the instructions for getting an access token on behalf of a Twilio user described here
The part that is confusing me where it seems to generate an access token then proxy it back to the client. I guess the idea is the…
Jackie
- 171
- 1
- 1
- 5