IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [oauth2]

OAuth2 is the industry-standard protocol for access delegation, commonly used to grant applications access to user information on other applications without giving them the passwords. Not backward compatible with OAuth 1.0

385 questions
8
votes
2 answers

Why is a wildcard-subdomain callback URL in OAuth considered unsafe?

In this post: http://technotes.iangreenleaf.com/posts/closing-another-nasty-security-hole-in-oauth.html Enter your full callback URL(s) in this field. This means you should be providing the entire path, such as …
Tanin
  • 183
  • 1
  • 5
7
votes
2 answers

PKCE vs Client Secret

If I was developing a web app client that would be served statically, I would need to either use the implicit grant flow (which is no longer advisable) or use the authorization code grant flow with PKCE. Given that I'm developing a web app client…
Daniel Rearden
  • 171
  • 1
  • 5
7
votes
3 answers

Non Confidential OAuth2 flow

I've been going through some documents regarding OAuth2 confidential and non-confidential authorisation flows, namely this and the RFC. From my understanding, the non-confidential flow does not require the client_secret, or better yet, you actually…
takecare
  • 171
  • 4
7
votes
2 answers

Is it safe for users of my API to 'Sign In With GitHub' using passport-github?

I understand that OAuth2 was designed to delegate authorization grants to specific resources, it alone is not an authentication protocol. However, the passport-github README states, This module lets you authenticate using GitHub in your Node.js…
Robert Claypool
  • 73
  • 9
6
votes
2 answers

Auth code grant /w PKCE for SPAs

I'm a security newb trying to find out how to secure my SPAs, and am totally lost in the forest of RFCs, BCPs, drafts and blog posts. If possible, I'd like to serve my SPAs statically from a cdn. At first I was uplifted by this article from Okta…
AleksG
  • 161
  • 3
6
votes
2 answers

IN OAuth 2.0, how is the client secret supposed to be kept secret?

Using most OAuth 2.0 flows, a client application can identify itself to the authorization server by means of a "client id" and "client secret." The OAuth 2 specification says that the client secret should indeed be kept secret. However, if the…
the_endian
  • 1,009
  • 1
  • 8
  • 17
6
votes
1 answer

Can oauth2 "state" parameter be used to avoid using session cookies to identify user

https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1 states: 4.1.1. Authorization Request" "state" RECOMMENDED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value…
Renārs Vilnis
  • 163
  • 3
6
votes
1 answer

Authorize transitive communication between applications on behalf of the user

I'm trying to wrap my head around to following web security question for a while now. Say we have a system set up as depicted in the picture below. There is one main application with which the user interacts most of the time through a front end.…
badoit
  • 73
  • 6
6
votes
2 answers

Is it ok to write OidC Bearer token to log?

During development we added to error logs details of http requests, including headers, to have better understanding for error investigation. Our architect pointed that we should not place sensitive information in logs. My question was should we…
Michael Freidgeim
  • 163
  • 6
6
votes
2 answers

Is there any security difference between login via iFrame, Pop-up, or redirect?

There seems to be a number of techniques to authenticate a person on the web. Most commonly there are Javascript Pop-ups (Google, Firefox Persona, Disqus, etc) HTTP Redirects (OAuth, Facebook) IFrames, with sandboxing set as needed. Question Is…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
6
votes
2 answers

How do I correctly use CORS with OpenID Connect?

There seems to be a number of questions on several blogs, Q&A sites, and comments that ask variants of the question: How do I correctly use CORS with OpenID Connect? The context of these questions are usually applied to one of these roles: The…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
6
votes
3 answers

Why is OAuth2/OpenID Connect considered less secure than SAML/WS-*?

The prevailing notion seems to be that OAuth2 and OpenID Connect are considered less secure than SAML/WS-Federation. From what I gather, it comes down to encryption - i.e. the fact that OAuth2/Open ID Connect do not support token encryption and…
Aashish Koirala
  • 163
  • 1
  • 1
  • 4
5
votes
4 answers

Is a "magic link" a kind of authentication?

From what am I reading, magic links require users to provide their email and the user will be sent an email with the link to sign-in, and the users can use this link to log into the system. Can this be called authentication? What we are validating…
bindip
  • 51
  • 2
5
votes
1 answer

Where to store refresh token if not in local storage?

In general it's recommended not to store refresh tokens in local storage. The Auth0 documentation advises against it. Even though I am aware of the underlying threats, what I am not aware is if there are any alternatives as to how to store those…
tturbox
  • 101
  • 1
  • 4
5
votes
3 answers

Distribute Program with Sheets API Credentials

I am trying to write a program that uses the Google Sheets API to read spreadsheets and operate on the data. My program contains a credentials.json file which I obtained from the Java Quickstart page (also obtainable from the Google Developers…
Cardinal System
  • 51
  • 6
1
2
3
25 26