Questions tagged [oidc]
14 questions
1
vote
1 answer
3rd party mobile app access our service via our APIs
We have a microservice backend system & we expose APIs for our customers to use. We are now developing our Authentication system with our identity provider service.
We have a customer(a company), their users using their service via their mobile app.…
user842225
- 61
- 3
1
vote
1 answer
What is the purpose of the ID Token if I can get the user info from the userinfo endpoint?
I am trying to understand OIDC and i dont see the purpose of the ID token if with just the access token, i can make a request to the userinfo endpoint and get the user info. What then is the purpose of the ID token?
In addition, what links an access…
Johnny Donalistic
- 527
- 1
- 4
- 5
0
votes
1 answer
IdP Personal/Signer Certificates
We are implementing SAML/OIDC-based SSO across our enterprise and wanted to get a feel for best practices when it comes to using Personal/Signer Certificates within our IdP.
Historically we've utilised the personal certificate that came with our…
user1913559
- 3
- 1
0
votes
0 answers
Using `react-oidc-context` and storing the `access_token` and `refresh_token` together
I am looking for a "best practises" approach for creating SPAs protected using OIDC + PKCE.
Most of our applications are hosted on two independent web servers with a load balancer routing requests to them in a round-robin configuration. Our SPAs are…
user1913559
- 3
- 1
0
votes
0 answers
What risks are there in using an OAuth2 access_token from an IdP that I do not control to secure an API that I do control?
Imagine I host some API. Its exact function is irrelevant to the question, but it needs to have some sort of authorization put in front of it. I want to call Google's APIs, so users can interact with their Google data, so I add the necessary code to…
Richard Ward
- 194
- 9
0
votes
0 answers
OpenId Connect and proper usage of nonce
I understand that a nonce is used to prevent replay attacks. I have been going through documentations, specs, posts and blog posts and I am a little confused.
Consider the following attack scenario.
Mary wants to login to https://photos.com via…
Haunted
- 43
- 4
0
votes
0 answers
What are the risks of using wildcard in context path of OIDC/OAuth redirect_uri?
I'm using Keycloak for my authentication needs. It allows me to use * as wildcard when whitelisting redirect_uris for OIDC clients. What are the risks of using * in context path of redirect_uri? For example, what could attacker do if I registered…
0
votes
1 answer
Downside of resource owner password flow for native mobile apps?
I have seen some similar questions a few years old and I am not sure if there are any new changing views on this.
I see that this flow is not recommended for mobile native apps. What are the practical downsides security wise of using this flow for…
jhurtas
- 101
- 1
0
votes
0 answers
OpenId Connect: Is there a way to listen for user events from the IDP
I have an application connecting to any IDP using the OIDC Protocol. This application stores part of the user identity in it's database. The problem I have is when the user gets disabled on the IDP the application still treats it's record of the…
user3167162
- 101
- 1
0
votes
0 answers
What's the purpose of signing OIDC ID Tokens if they shouldn't be used as bearer tokens
It seems like signing ID Tokens invites misuse.
As I understand it, OIDC ID tokens should not be used as bearer tokens for authorizing API access. Instead, we should use access tokens.
However, the ID token is still signed, and in the case of OIDC…
Jon Wolski
- 133
- 1
- 6
0
votes
0 answers
OpenId with Biometrics - should I write a custom login + OIDC
We are trying to arrive at a solution for an enterprise app
Different Users have different Authentication Methods
User Type 1 - Password + Captcha
User type 2 - Biometric [Not device-based] + Password
User type 3 - Biometric [Device-based, ex on…
0
votes
2 answers
OpenId connect: Grant all available scopes in ClientCredentials flow
I have a microservice system with an OpenId connect Identity Provider, implemented with IdentityServer4.
I have one special (very generic) service which needs to be able to communicate with all other services, even with services which will be…
0
votes
0 answers
Working Code for Grant Negotiation and Authorization Protocol (gnap) for evaluation? Performance vs OAuth/OIDC
Understand that Grant Negotiation and Authorization Protocol (gnap) is still in draft status at the IETF.
I am looking to evaluate GNAP and be the first to put in production. Are there any working Code for Grant Negotiation and Authorization…
Nathan Aw
- 1
- 7
- 12
-1
votes
1 answer
Definition of Authorization according to OAuth2
I am trying to understand OAuth2 and OIDC. The OIDC glossary is a good starting point, and while it defines "Authentication", but does not actually define "Authorization". I suspect it leaves to the OAuth2 specification to define the term. I…
Andreas F
- 99
- 2