OAuth2 is the industry-standard protocol for access delegation, commonly used to grant applications access to user information on other applications without giving them the passwords. Not backward compatible with OAuth 1.0
Questions tagged [oauth2]
385 questions
127
votes
7 answers
Why use OpenID Connect instead of plain OAuth2?
I just started to use OAuth 2.0 as a way to authenticate my users. It works great - I just use the identity/profile API of each provider to get a validated email address of the user.
Now I read about OpenID Connect and am a little bit confused.…
rdmueller
- 2,413
- 3
- 18
- 17
52
votes
2 answers
What is PKCE actually protecting?
I'm trying to get my head around how PKCE works in a mobile app and there's something I don't quite understand.
So from what I can gather the client app creates a random cryptographically secure string known as the code-verifier. This is then…
TommyBs
- 657
- 1
- 5
- 7
38
votes
3 answers
Why isn't PKCE encouraged for Single-Page Apps?
A lot of services today still recommend the implicit flow for an OpenID Connect/Oauth2 token exchange when developing Single-Page Apps. (See Okta - now recommends PKCE w/ implicit fallback, Google, Auth0)
Some newer guidance out there points towards…
someone1
- 686
- 1
- 7
- 10
32
votes
1 answer
What are the differences between JSON Web Tokens, SAML and OAuth 2?
What are the differences between JSON Web Tokens, SAML and OAuth 2. Please provide some pointers and high level overview of their functions.
Specifically, why would one use SAML over JSON Web Tokens or viceversa? Does one need to have OAuth 2 to use…
Jadiel de Armas
- 421
- 1
- 4
- 3
18
votes
1 answer
How to verify Google sign-in screen is legit? (Linux Desktop)
I've installed an Electron app "Google Play Music Desktop Player" which presents a Google login screen:
This is in a standalone window with no URL displayed. Although I have no reason not to trust this app, how can I be sure that this login screen…
Andrew M.
- 283
- 1
- 6
17
votes
3 answers
Oauth2 vs APIKey in a server to server communication
A third party service provider is exposing a payment API that we need to integrate on our backend.
As transport communication we will consume this API using TLS with Client Certificate and over a MPLS private network.
As authentication framework,…
systempuntoout
- 305
- 3
- 10
16
votes
2 answers
What is the difference between API keys and API tokens usages?
From all the research that I have done, I have found that API keys are less secure than access tokens (under usage of oAuth), and should only be used for monitoring purposes.
But from what I understood, the server generates both of them. So if I…
Elie Saad
- 347
- 2
- 3
- 14
14
votes
10 answers
Spoofing POST/GET requests in a RESTful service
I started working on an app that connects to a RESTful service for authentication and data. User POSTs the user name and password to /token endpoint.
Once they log in successfully, they get a bearer token that they then append to the Authorization…
u9kV-6J
- 145
- 1
- 7
11
votes
1 answer
Is CORS ever needed during any aspect of OAuth / OpenIDConnect Authentication?
I'm looking at OpenIDConnect authentication and trying to determine if either "simple CORS" or "complex CORS" is ever leveraged during authentication or authorization.
Background
A Simple CORS (with no preflight) involves:
HTTP method…
makerofthings7
- 50,090
- 54
- 250
- 536
9
votes
1 answer
Do I need CSRF protection in this setup with a REST API backed with oauth2 and a basic auth SSO auth server?
I've seen the answer Is CSRF possible if I don't even use cookies? but there are 2 conflicting answers and the question itself doesn't provide that much information either.
I am creating a REST API that will be used by a web client (of our own…
Sebastiaan van den Broek
- 257
- 2
- 12
9
votes
1 answer
Using the authorization code grant without using cookies?
I've been reading up on this for months and it seems like the whole thing could converge on what I'm summarizing below. I'm trying to arrive at the most ideal:
OAuth2
OpenID Connect
SPA / Mobile Client
JWT
Solution that has banking level security…
Ole
- 529
- 5
- 10
9
votes
1 answer
FB Oauth CSRF security, PHP website
I am experimenting with third party login, using Twitter and Facebook.
After getting access token from these parties, and confirming its validity, I then issue my own JWT token that's used within my application cluster. The only thing I use the 3rd…
Slytherin
- 141
- 4
9
votes
1 answer
Is it safe to store the state parameter value in cookie?
As per https://www.rfc-editor.org/rfc/rfc6749#section-10.12:
The client MUST implement CSRF protection for its redirection URI.
This is typically accomplished by requiring any request sent to the
redirection URI endpoint to include a value that…
neverendingqs
- 191
- 2
- 5
8
votes
1 answer
Does PKCE replace state in the Authorization Code OAuth flow?
PKCE explanation: https://www.oauth.com/oauth2-servers/pkce/
OAuth Flow example: https://developer.okta.com/docs/guides/implement-auth-code-pkce/use-flow/
My question is more specifically: Is there any reason to require state if PKCE is…
Ross Grambo
- 83
- 3
8
votes
2 answers
Using third party authentication like google/facebook to login to a site, is there any security risk when the site is hacked?
Sites like stackoverflow, quora, and many more offers sign in from Google/Facebook. In the event that there is a data breach or the site is hacked, is there any security risk to your Google/Facebook account?
rcs
- 181
- 2