IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [oauth2]

OAuth2 is the industry-standard protocol for access delegation, commonly used to grant applications access to user information on other applications without giving them the passwords. Not backward compatible with OAuth 1.0

385 questions
127
votes
7 answers

Why use OpenID Connect instead of plain OAuth2?

I just started to use OAuth 2.0 as a way to authenticate my users. It works great - I just use the identity/profile API of each provider to get a validated email address of the user. Now I read about OpenID Connect and am a little bit confused.…
rdmueller
  • 2,413
  • 3
  • 18
  • 17
52
votes
2 answers

What is PKCE actually protecting?

I'm trying to get my head around how PKCE works in a mobile app and there's something I don't quite understand. So from what I can gather the client app creates a random cryptographically secure string known as the code-verifier. This is then…
TommyBs
  • 657
  • 1
  • 5
  • 7
38
votes
3 answers

Why isn't PKCE encouraged for Single-Page Apps?

A lot of services today still recommend the implicit flow for an OpenID Connect/Oauth2 token exchange when developing Single-Page Apps. (See Okta - now recommends PKCE w/ implicit fallback, Google, Auth0) Some newer guidance out there points towards…
someone1
  • 686
  • 1
  • 7
  • 10
32
votes
1 answer

What are the differences between JSON Web Tokens, SAML and OAuth 2?

What are the differences between JSON Web Tokens, SAML and OAuth 2. Please provide some pointers and high level overview of their functions. Specifically, why would one use SAML over JSON Web Tokens or viceversa? Does one need to have OAuth 2 to use…
Jadiel de Armas
  • 421
  • 1
  • 4
  • 3
18
votes
1 answer

How to verify Google sign-in screen is legit? (Linux Desktop)

I've installed an Electron app "Google Play Music Desktop Player" which presents a Google login screen: This is in a standalone window with no URL displayed. Although I have no reason not to trust this app, how can I be sure that this login screen…
Andrew M.
  • 283
  • 1
  • 6
17
votes
3 answers

Oauth2 vs APIKey in a server to server communication

A third party service provider is exposing a payment API that we need to integrate on our backend. As transport communication we will consume this API using TLS with Client Certificate and over a MPLS private network. As authentication framework,…
systempuntoout
  • 305
  • 3
  • 10
16
votes
2 answers

What is the difference between API keys and API tokens usages?

From all the research that I have done, I have found that API keys are less secure than access tokens (under usage of oAuth), and should only be used for monitoring purposes. But from what I understood, the server generates both of them. So if I…
Elie Saad
  • 347
  • 2
  • 3
  • 14
14
votes
10 answers

Spoofing POST/GET requests in a RESTful service

I started working on an app that connects to a RESTful service for authentication and data. User POSTs the user name and password to /token endpoint. Once they log in successfully, they get a bearer token that they then append to the Authorization…
u9kV-6J
  • 145
  • 1
  • 7
11
votes
1 answer

Is CORS ever needed during any aspect of OAuth / OpenIDConnect Authentication?

I'm looking at OpenIDConnect authentication and trying to determine if either "simple CORS" or "complex CORS" is ever leveraged during authentication or authorization. Background A Simple CORS (with no preflight) involves: HTTP method…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
9
votes
1 answer

Do I need CSRF protection in this setup with a REST API backed with oauth2 and a basic auth SSO auth server?

I've seen the answer Is CSRF possible if I don't even use cookies? but there are 2 conflicting answers and the question itself doesn't provide that much information either. I am creating a REST API that will be used by a web client (of our own…
Sebastiaan van den Broek
  • 257
  • 2
  • 12
9
votes
1 answer

Using the authorization code grant without using cookies?

I've been reading up on this for months and it seems like the whole thing could converge on what I'm summarizing below. I'm trying to arrive at the most ideal: OAuth2 OpenID Connect SPA / Mobile Client JWT Solution that has banking level security…
Ole
  • 529
  • 5
  • 10
9
votes
1 answer

FB Oauth CSRF security, PHP website

I am experimenting with third party login, using Twitter and Facebook. After getting access token from these parties, and confirming its validity, I then issue my own JWT token that's used within my application cluster. The only thing I use the 3rd…
Slytherin
  • 141
  • 4
9
votes
1 answer

Is it safe to store the state parameter value in cookie?

As per https://www.rfc-editor.org/rfc/rfc6749#section-10.12: The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that…
neverendingqs
  • 191
  • 2
  • 5
8
votes
1 answer

Does PKCE replace state in the Authorization Code OAuth flow?

PKCE explanation: https://www.oauth.com/oauth2-servers/pkce/ OAuth Flow example: https://developer.okta.com/docs/guides/implement-auth-code-pkce/use-flow/ My question is more specifically: Is there any reason to require state if PKCE is…
Ross Grambo
  • 83
  • 3
8
votes
2 answers

Using third party authentication like google/facebook to login to a site, is there any security risk when the site is hacked?

Sites like stackoverflow, quora, and many more offers sign in from Google/Facebook. In the event that there is a data breach or the site is hacked, is there any security risk to your Google/Facebook account?
rcs
  • 181
  • 2
1
2 3
25 26