Highest Voted 'oidc' Questions - IT Security Stack Exchange

1

vote

1 answer

3rd party mobile app access our service via our APIs

We have a microservice backend system & we expose APIs for our customers to use. We are now developing our Authentication system with our identity provider service. We have a customer(a company), their users using their service via their mobile app.…

asked Mar 12 '22 at 19:22

user842225

61
3

1

vote

1 answer

What is the purpose of the ID Token if I can get the user info from the userinfo endpoint?

I am trying to understand OIDC and i dont see the purpose of the ID token if with just the access token, i can make a request to the userinfo endpoint and get the user info. What then is the purpose of the ID token? In addition, what links an access…

oidc

asked Nov 11 '21 at 09:30

Johnny Donalistic

527
1
4
5

0

votes

1 answer

IdP Personal/Signer Certificates

We are implementing SAML/OIDC-based SSO across our enterprise and wanted to get a feel for best practices when it comes to using Personal/Signer Certificates within our IdP. Historically we've utilised the personal certificate that came with our…

certificates sso saml oidc

asked Aug 10 '22 at 17:42

user1913559

3
1

0

votes

0 answers

Using `react-oidc-context` and storing the `access_token` and `refresh_token` together

I am looking for a "best practises" approach for creating SPAs protected using OIDC + PKCE. Most of our applications are hosted on two independent web servers with a load balancer routing requests to them in a round-robin configuration. Our SPAs are…

oauth2 asp.net-core react oidc

asked Jun 22 '22 at 14:24

user1913559

3
1

0

votes

0 answers

What risks are there in using an OAuth2 access_token from an IdP that I do not control to secure an API that I do control?

Imagine I host some API. Its exact function is irrelevant to the question, but it needs to have some sort of authorization put in front of it. I want to call Google's APIs, so users can interact with their Google data, so I add the necessary code to…

access-control oauth2 access-token oidc

asked Jun 13 '22 at 10:21

Richard Ward

194
9

0

votes

0 answers

OpenId Connect and proper usage of nonce

I understand that a nonce is used to prevent replay attacks. I have been going through documentations, specs, posts and blog posts and I am a little confused. Consider the following attack scenario. Mary wants to login to https://photos.com via…

openid nonce oidc

asked May 17 '22 at 22:22

Haunted

43
4

0

votes

0 answers

What are the risks of using wildcard in context path of OIDC/OAuth redirect_uri?

I'm using Keycloak for my authentication needs. It allows me to use * as wildcard when whitelisting redirect_uris for OIDC clients. What are the risks of using * in context path of redirect_uri? For example, what could attacker do if I registered…

authentication oauth2 url-redirection oidc

asked Apr 21 '22 at 08:34

Fean Arnailes

1

0

votes

1 answer

Downside of resource owner password flow for native mobile apps?

I have seen some similar questions a few years old and I am not sure if there are any new changing views on this. I see that this flow is not recommended for mobile native apps. What are the practical downsides security wise of using this flow for…

authentication authorization oauth2 mobile-app oidc

asked Mar 13 '22 at 06:50

jhurtas

101
1

0

votes

0 answers

OpenId Connect: Is there a way to listen for user events from the IDP

I have an application connecting to any IDP using the OIDC Protocol. This application stores part of the user identity in it's database. The problem I have is when the user gets disabled on the IDP the application still treats it's record of the…

asp.net-core oidc

asked Jan 12 '22 at 02:04

user3167162

101
1

0

votes

0 answers

What's the purpose of signing OIDC ID Tokens if they shouldn't be used as bearer tokens

It seems like signing ID Tokens invites misuse. As I understand it, OIDC ID tokens should not be used as bearer tokens for authorizing API access. Instead, we should use access tokens. However, the ID token is still signed, and in the case of OIDC…

jwt openid-connect oidc

asked Jan 12 '22 at 02:00

Jon Wolski

133
1
6

0

votes

0 answers

OpenId with Biometrics - should I write a custom login + OIDC

We are trying to arrive at a solution for an enterprise app Different Users have different Authentication Methods User Type 1 - Password + Captcha User type 2 - Biometric [Not device-based] + Password User type 3 - Biometric [Device-based, ex on…

oauth2 openid-connect biometrics openid oidc

asked Nov 18 '21 at 08:49

Karthik_Rajendiran

1
1

0

votes

2 answers

OpenId connect: Grant all available scopes in ClientCredentials flow

I have a microservice system with an OpenId connect Identity Provider, implemented with IdentityServer4. I have one special (very generic) service which needs to be able to communicate with all other services, even with services which will be…

openid-connect oidc

asked Oct 28 '21 at 16:31

PhotonTamer

1

0

votes

0 answers

Working Code for Grant Negotiation and Authorization Protocol (gnap) for evaluation? Performance vs OAuth/OIDC

Understand that Grant Negotiation and Authorization Protocol (gnap) is still in draft status at the IETF. I am looking to evaluate GNAP and be the first to put in production. Are there any working Code for Grant Negotiation and Authorization…

oauth gnap oidc

asked Oct 06 '21 at 01:46

Nathan Aw

1
7
12

-1

votes

1 answer

Definition of Authorization according to OAuth2

I am trying to understand OAuth2 and OIDC. The OIDC glossary is a good starting point, and while it defines "Authentication", but does not actually define "Authorization". I suspect it leaves to the OAuth2 specification to define the term. I…

authorization oauth2 oidc

asked Mar 25 '22 at 07:51

Andreas F

99
2

Questions tagged [oidc]