An access token is an object encapsulating the security identity of a process or thread. A token is used to make security decisions and to store tamper-proof information about some system entity.
Questions tagged [access-token]
28 questions
0
votes
0 answers
What risks are there in using an OAuth2 access_token from an IdP that I do not control to secure an API that I do control?
Imagine I host some API. Its exact function is irrelevant to the question, but it needs to have some sort of authorization put in front of it. I want to call Google's APIs, so users can interact with their Google data, so I add the necessary code to…
Richard Ward
- 194
- 9
0
votes
1 answer
Creating secure website-based login for a desktop app
This question relates to this post I made on StackOverflow recently, which I'll recap here briefly.
I have a desktop app that I would like to authenticate through a website, using the process outlined below:
I click a "Login" button on my Qt C++…
skillz21
- 103
- 3
0
votes
0 answers
Best way to handle token authentication workflow on mobile apps
I'm working on a mobile application and I need to create a token-authentication workflow.
So far I've pointed out main token:
Token by reference, that are store in database, like…
Paul Rock
- 101
0
votes
0 answers
Good practice for generating opaque access-token
Restrictions:
Access token will be short lived (2 minutes)
Access token will be one-time use only.
Given a strong random algorithm, would it be considered good practice to generate an opaque access-token by generating 256/512 random bits that is…
0
votes
1 answer
is it safe to read the jwt token before validating it?
is it safe to read the jwt token before validating it?
my colleagues are implementing a "check jwt for aud value and route accordingly".
this means that:
First payload is being read by the code of our application
Then route to the correct…
ion
- 103
- 3
0
votes
0 answers
Refresh tokens in a web environment
As I understand it, the basic idea is that you have accessToken (15 minutes), and refreshToken (1 week), a few moments before the accessToken expires, you need to ask the server for a new accessToken.
If the user closed the browser before the 15…
SexyMF
- 161
- 1
0
votes
0 answers
how to avoid Oauth2 timeouts with orchestrator REST API
I have a REST API, which I'll call "R". R uses Oauth2 Bearer tokens for auth.
However, R has a fairly complex API, so we're designing a new system called "O" that provides a simpler API. Users will have the choice of making calls to either R or to…
Mike W
- 51
- 2
0
votes
1 answer
Is there a risk involved in refreshing a JWT token every time you refocus the webpage?
I am currently testing a website that appears to make a refresh token request every time I focus away from the web browser and back, or away from the tab the website is open in and back to it. I've confirmed these requests are refreshing my access…
jaredad7
- 173
- 8
0
votes
0 answers
Requiring Google Mobile Service token
I'm pentesting an android application written in Cordova and while inspecting the network traffic I found some interesting endpoint that I would like to test.
However, this endpoint need a tokenID (ex. eyJ[...].eyJ[...]) and I don't know why, even…
D.Rek
- 101
- 2
0
votes
2 answers
Is there a downside to sending a refresh token on every request to an API?
Let's say that my user signs in and the server responds with a refresh token saved in a cookie (SameSite strict, HttpOnly, CSRF token too) and with the access token in response (saved in JS memory).
I read these guidelines in a popular Hasura…
user261837
- 3
- 1
0
votes
1 answer
How is pop token more secure than bearer token?
I tried reading few articles, however I'm not able to understand the merit of POP over Bearer token. Bearer token if lost (during transit over the wire) can give the holder of the token same privileges as the genuine owner. POP token is supposed to…
Gopal
- 141
- 5
0
votes
1 answer
Does API access token that only have access to public information need to be kept secret?
I found a Instagram Basic Display API access token leaked in a website. This token belongs to a Instagram marketing account of this website. Using my leet investigating skill, below are the information i have.
This token has 3 months valid…
trieulieuf9
- 31
- 4
-1
votes
1 answer
How to secure backend API access?
In the good old days, you made server-side websites using PHP or something like that, now we have modern web apps divided into front-end and back-end (usually API Rest), you can't rely on CORS because some clients like postman don't care about…
Ger
- 143
- 6