IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [oauth2]

OAuth2 is the industry-standard protocol for access delegation, commonly used to grant applications access to user information on other applications without giving them the passwords. Not backward compatible with OAuth 1.0

385 questions
5
votes
1 answer

Can websites detect if visitors are logged in to mainstream ID providers and collect their IDs?

Logging in to websites using mainstream IDs (Google/Facebook/Github etc.) by means of OAuth (or similar) has nowadays become a feature that people expect. Not that long ago the corresponding user experience included popups asking if the website…
Greendrake
  • 669
  • 1
  • 8
  • 17
5
votes
2 answers

Microservices and RBAC using OIDC

I am currently working on migrating our users from an internal DB to an OIDC service (considering Cognito/Auth0/etc.), and I am trying to implement RBAC. Our backend is basically a bunch of microservices, and I am trying to understand how we can…
Tomer Amir
  • 171
  • 7
5
votes
0 answers

Poor Man's OAuth Grant - Review

A 3rd party company has requested that we implement single sign-on with them using the below approach. I'm familiar with OAuth grants and OIDC flows but this seems rather odd to me. The user has already logged into my application when this flow…
fml
  • 151
  • 2
5
votes
1 answer

Is there any way for server side to verify the application integrity during OAuth2 workflow

During OAuth2 PKCE workflow, the native application (installed on Android/iOS device) issues the authorize request to server and exchange the OAuthtokens. For server side, is there any way that we can check the authorize request is really issued…
Feng Xi
  • 151
  • 2
5
votes
1 answer

Oauth2 PKCE - Can the refresh_token be trusted?

If a have a mobile that is authorized against my server using PKCE, which allows it to get a access_token and a refresh_token, to what extent should I trust that the app can use the refresh_token from now on to get the access_token? Surely the same…
James M
  • 51
  • 4
5
votes
2 answers

Why do we use Oauth2 instead of Basic Auth in server to server communication using SSL?

Why do some API providers ask you to implement Oauth2 in server to server communication that's available only over HTTPS? In the frontend (app or webapp), Oauth2 is useful to protect the user credentials by storing a token and not the credentials in…
DomingoSL
  • 153
  • 4
5
votes
1 answer

Need of scope in OAuth Client Credentials Flow

For me, Client Credential flow is like client is asking access token for itself - not on behalf of some user. Then, why would client like to limit its own scope? What is the benefit of scopes in client credential flow?
Kumar
  • 275
  • 3
  • 7
5
votes
1 answer

How to get better IAM understanding

I'm getting interested in Identity and Access Management (IAM), but I find it hard to find complete and understandable explanations that suit me, surely because I started wrong. I began with Wikipedia and followed discussions here and there…
Bytemare
  • 143
  • 5
5
votes
1 answer

Is using OAuth2 services like Google or Facebook Single Sign-On a privacy concern?

With all the coverage of Cambridge Analytica scandal, it seems like this wasn't a data breach or hack, it was just that Cambridge Analytica did not properly disclose how they would use the data. Is signing into a website using an OAuth2 service…
stickman
  • 1,550
  • 3
  • 13
  • 16
5
votes
0 answers

Is there a good way to store OAuth2 tokens for a native application?

Currently I have a native PC application that builds and uploads a configuration to an embedded Linux device (i.e. the client). This device connects to Google Calendar via their OAuth2 API. The configuration requires: A resource owner to login to…
Mogarrr
  • 151
  • 2
5
votes
1 answer

Securely Storing Access Tokens for Azure Key Vault

I am using Azure's KEY vault to store encryption keys and handle encryption and decryption as we have a specification that requires encryption keys to be kept offsite, however this has left me with the problem of what to do with the access_token I…
Rob Holmes
  • 151
  • 2
5
votes
2 answers

Fine grained authorization with OAuth2

In my understanding of OAuth2 the scope may be used to specify access to what is asked and granted by code owner. In most cases I encounters the scope list is closed and specify "kinds" of thing that can be accessed, for example profile, email,…
AGrzes
  • 526
  • 4
  • 10
5
votes
1 answer

Why does oAuth and oAuth 2 have access tokens at all?

I am trying to implement a system for third-party apps to access data that a user stores on a provider. We have a robust access control system, with separate read/write/etc. levels for each "stream" of data published by a user. Inside our website,…
Gregory Magarshak
  • 343
  • 2
  • 9
5
votes
1 answer

OAuth Token Translation (Opaque to JWT)

I've seen couple of talks which suggested usage of OAuth token translation at the API gateway from opaque token to JWT token. What are the advantages and disadvantages of this approach, who should use it? If we are using HTTPS I don't think this…
EralpB
  • 358
  • 3
  • 11
4
votes
1 answer

When using PKCE, are the state and nonce parameters still necessary protection from csrf and code injection?

When I'm using the authorization code flow with PKCE do I still need state and nonce? For state (that prevents login-csrf), if an attacker sends me a malicious Authorization Response, the client may accept the response, but in the end no token can…
BenjaminH
  • 492
  • 2
  • 9
1 2
3
25 26