IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [oauth]

OAuth is an open standard for authorizing access to data. It is a service that is complementary to, but distinct from, OpenID.

504 questions
169
votes
7 answers

Difference Between OAUTH, OpenID and OPENID Connect in very simple term?

I am very confused the difficult jargon available in web about OAUTH, OpenID and OPENID Connect. Can anyone tell me the difference in simple words.
user960567
  • 2,461
  • 4
  • 16
  • 16
127
votes
7 answers

Why use OpenID Connect instead of plain OAuth2?

I just started to use OAuth 2.0 as a way to authenticate my users. It works great - I just use the identity/profile API of each provider to get a validated email address of the user. Now I read about OpenID Connect and am a little bit confused.…
rdmueller
  • 2,413
  • 3
  • 18
  • 17
107
votes
5 answers

Should we store accesstoken in our database for oauth2?

I have a requirement to implement Facebook and Google login in my web application. I also need to access a user's Facebook/Google+ friend list. I have gone through the complete OAuth2 documentation of Facebook and Google. I understood the basic…
Deepak Kumar Padhy
  • 1,178
  • 2
  • 8
  • 7
91
votes
6 answers

Best place to store authentication tokens client side

When my users are authenticated they receive an authentication token, I need to use this authentication token to authorize some asp.net WebAPI calls. To do this I need to add the token to the head of that call, so I need the token accessible from…
jfamvg
  • 1,013
  • 1
  • 8
  • 5
80
votes
3 answers

What are the dangers of allowing "less secure apps" to access my Google account?

According to https://support.google.com/accounts/answer/6010255: Google may block sign in attempts from some apps or devices that do not use modern security standards. Since these apps and devices are easier to break into, blocking them helps keep…
Hjulle
  • 906
  • 1
  • 6
  • 10
53
votes
10 answers

Isn't OAuth, OpenID, Facebook Connect, and others crazy from a security standpoint?

I work with APIs all the time and I work with web developers who insist that OAuth, OpenID, etc are far superior than a home-brew method. Every site seems to be using these as well now for ease of use to the user, but also for security. I hear it…
Oscar Godson
  • 631
  • 5
  • 5
50
votes
4 answers

OAuth2 Cross Site Request Forgery, and state parameter

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-30#section-10.12 says: The client MUST implement CSRF protection [...] typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the…
Markus von Broady
  • 686
  • 1
  • 6
  • 14
45
votes
5 answers

What are the downsides of BrowserID/Persona compared to OpenID/OAuth/Facebook?

Mozilla went live with a new service called BrowserID/Persona (announcement, background). It is intended to replace current single-sign-on solutions such as OpenID, OAuth and Facebook. One advantage is that a future integration into the browsers…
Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
44
votes
6 answers

Can someone explain the "Covert Redirect" vulnerability in OAuth and OpenID?

CNet is reporting that all OpenID and OAuth sites are vulnerable to an attack called "Covert Redirect". What is this attack, how does it work, and as an end user, how can I mitigate the risk?
Daniel Pryden
  • 895
  • 1
  • 6
  • 12
40
votes
3 answers

How does JTI prevent a JWT from being replayed?

According to the JWT RFC a JWT can optionally have a JTI which I interpret to be a unique ID for a JWT. It seems like a UUID is a good value for a JTI. The RFC claims that the JTI can be used to prevent the JWT from being replayed. Two…
ams
  • 613
  • 1
  • 5
  • 7
38
votes
3 answers

Why isn't PKCE encouraged for Single-Page Apps?

A lot of services today still recommend the implicit flow for an OpenID Connect/Oauth2 token exchange when developing Single-Page Apps. (See Okta - now recommends PKCE w/ implicit fallback, Google, Auth0) Some newer guidance out there points towards…
someone1
  • 686
  • 1
  • 7
  • 10
37
votes
2 answers

OAuth 2 vs OpenID Connect to secure API

I am developing a Web API which will back several applications: a website, a companion mobile application(s) and possibly several third-party applications. Every application is expected to get an access token from auth server and then feed it to the…
Sergei Rogovtcev
  • 423
  • 1
  • 4
  • 8
35
votes
3 answers

What is the purpose of OAuth 2.0 redirect_uri checking?

The OAuth 2.0 specification's authorization code mechanism includes redirect URI checking from the site you redirect to. See steps D and E in section 4.1 of the spec. Also, section 4.1.3 describes in detail that the redirected-to client needs to…
Steven
  • 451
  • 1
  • 4
  • 4
33
votes
4 answers

How secure are expiring tokens and refresh tokens?

In the comments of a question on StackOverflow, OAuth2 Why do access tokens expire?, people are questioning how secure refresh tokens are. This comment is how I feel: So it provides some protection from packet sniffing, as long as the intercept…
Luke Puplett
  • 513
  • 1
  • 4
  • 9
33
votes
3 answers

When do you use OpenID vs. OpenID Connect

Can they be used together? ....or are they two separate protocols that may or may not be useful depending on the context? The reason I ask is because I'm trying to implement the following: User "Bob" goes to a Client implemented as a User-Agent…
tjb1982
  • 433
  • 1
  • 4
  • 7
1
2 3
33 34