OAuth2 is the industry-standard protocol for access delegation, commonly used to grant applications access to user information on other applications without giving them the passwords. Not backward compatible with OAuth 1.0
Questions tagged [oauth2]
385 questions
0
votes
1 answer
Preventing CSRF with implicit flow and JWTs?
I'm reading through openid connect document ATM and it says:
Put into a browser cookie the ID token can be used to implement lightweight stateless sessions.
IIUC we want to avoid using cookies in order to ensure avoid CSRF attacks, since the…
Ole
- 529
- 5
- 10
0
votes
1 answer
Facebook Javascript SDK security issue?
I am trying to embed facebook auth into my application.
My initial effort was to login in browser and obtain code. I pass this code back to my api and obtain access token (that stays with the server) and route all my requests to FB Api through my…
stripathi
- 101
- 2
0
votes
1 answer
Secure authentication on SPA/Javascript application with “remember me” support
I have 3 website projects as follows;
identity.example.com (asp.netcore + IdentityServer4)
api.example.com (asp.netcore webapi)
www.example.com (asp.netcore + aurelia)
I am able to authenticate the user using SPA user-agent using implicit grant…
Hasan
- 101
- 4
0
votes
2 answers
Securing non-consumer machine-to-machine APIs with Encryption over SSL
I'm working on an API that is intended to be consumed by another system. The data is not owned by the requesting machine and the user(s) that the data pertains to are not driving the transaction. You could think of it as the same use-case as a…
Usman Mutawakil
- 121
- 4
0
votes
1 answer
Can JSON webtokens be used to simplify the OAuth2 protocol without compromising security?
I have used json webtokens to handle authentication for some hobby websites in the past. For my next site I would like to use OAuth2, to allow my site to be used with other services.
It seems that the OAuth2 authorization_code protocol adds some…
user3125280
- 103
- 2
0
votes
1 answer
What is a good reason for persisting OAuth credentials?
While reviewing the database for some web sites I noticed tables where OAuth credentials (such as the token, refresh token) among other information are stored on the database.
My understanding is that this information is mainly required for the user…
NoChance
- 185
- 1
- 9
0
votes
2 answers
How to store user credentials in a web application?
I use the Twitter API in my app. I used to store the OAuth 2 tokens of the associated Twitter account within an application config.
But now the application's users have to be able, using the web interface, to associate any number of twitter…
Andrii Maletskyi
- 101
- 3
-1
votes
1 answer
Definition of Authorization according to OAuth2
I am trying to understand OAuth2 and OIDC. The OIDC glossary is a good starting point, and while it defines "Authentication", but does not actually define "Authorization". I suspect it leaves to the OAuth2 specification to define the term. I…
Andreas F
- 99
- 2
-1
votes
1 answer
How to secure backend API access?
In the good old days, you made server-side websites using PHP or something like that, now we have modern web apps divided into front-end and back-end (usually API Rest), you can't rely on CORS because some clients like postman don't care about…
Ger
- 143
- 6
-1
votes
2 answers
What are the security risks with rolling out your own Authorisation server implementation
Even though I'm working within .Net Core, this question is generally applicable to other platforms as well.
My question is to do with: Using a framework (such as IdentityServer) to manage implementation for Auth (Authentication/Authorisation) -- Vs…
Ash
- 111
- 6