Questions tagged [openid]
The openid tag has no summary.
33 questions
0
votes
0
answers
136
views
Multi-tenant (realm based) REST Web API authentication
We're building a multi-tenant setup with a C# Web API and KeyCloak for auth and APISIX as application gateway. APISIX handles the authentication and passes an X-Access-Token to our API when ...
- 341
1
vote
0
answers
642
views
What goes in the access_token and what goes in the id_token?
I'm currently trying to build a very simple application for handling OpenID Connect using the library Openiddict. This library lets me construct the access_token and the id_token and lets me set which ...
- 313
0
votes
1
answer
382
views
Using Azure AD as an identity provider in Keycloak-based applications: how can I add missing user data to my client applications?
I'm currently using Azure AD as my identity provider and Keycloak as my intermediary/broker for my client applications. However, I need some user attributes (such as phone, email, picture, and ...
- 121
0
votes
1
answer
1k
views
Session Handover via OpenID Connect between a Mobile Application and a Website?
I am trying to assess secure ways to implement a session handover between an app and a website in the same company ecosystem.
The Setup
Mobile Application A and Website B use the same company OpenID ...
- 103
1
vote
0
answers
48
views
Two step provisioning using OIDC and AD?
A client requested that we implement the following authentication/authorisation flow:
User authenticates using OIDC via a IAM (Salesforce in this case).
If user is an external user, then a flag is ...
- 33
2
votes
1
answer
651
views
Is it good practice to use the sub claim as the user_id in my app
The resources on the web I have seen so far suggest that the 'sub' claim in a JWT identifies the principal.
According to this question, at least for some identity provider implementations, one cannot ...
- 23
1
vote
1
answer
515
views
Passing an OAuth Token between services with Zero Trust and audience checks
Let's say, we're using an OAuth / OpenID Connect (OIDC) flow (in a Zero-Trust situation) to secure two APIs: ServiceA and ServiceB. To implement some of the functionality of ServiceA, it depends on ...
- 326
1
vote
0
answers
99
views
In OAuth / OpenID Connect, does the redirect url matter for server to server API calls?
In OAuth / OpenID Connect, does the redirect url matter for server to server API calls?
I'm currently setting up Azure AD to secure our API's. The first implementation will likely only be server to ...
- 226
2
votes
1
answer
276
views
Chaining openID token
I'm working in microservices environment, where each service authenticates using OpenID Connect to an authentication service (local IdP), based on Users I keep locally on my Database.
Now, I want ...
- 79
1
vote
0
answers
110
views
Grant type/flow to use for multitenant application
Let's image we have a multitenant(organization) application having a separate database per tenant(organization).
The core of the application is a REST api service protected by an authorization ...
- 111
1
vote
2
answers
9k
views
How to keep user logged in when using OpenID Connect & Cookies in dotnet core?
I'm working on an OpenID Connect Hybrid flow, basically the response type in my case is: code id_token
Problem: I can't seem to persist the session of the user when logged in using the id_token.
I ...
- 99
8
votes
3
answers
11k
views
Is caching Access Tokens on the back end of a Web Application a good idea? (access_token storage best practices)
Let's suppose we have a Web Application that uses an Open Id Connect service provider, the Web Application uses the Authorization Code flow to get access to a different API, and therefore gets an ...
- 99
0
votes
4
answers
1k
views
Open ID Connect Session Management Access/Refresh Token vs Session iFrame
We have a web app in which we allow users to log into the app using any Open ID provider(e.g. Okta, Google, Facebook etc.). We want to implement the correct Open ID Connect prescribed methodology/...
- 109
4
votes
2
answers
1k
views
Integration with multiple SSO's
Currently, we had a web app that integrated with SSO through Open-Id protocol
Then we got another client that had it's own SSO and need us to integrate with their SSO through SAML protocol so their ...
- 49
6
votes
1
answer
2k
views
Client generated JWT
I'm working with a 3rd party company who are providing an API along with an unusual security approach.
The security approach is essentially using a JWT by itself (no oauth). What's odd is that they'...
- 537
11
votes
2
answers
1k
views
Should an SPA use OIDC's Implicit flow or Auth Code flow?
We are developing a new Angular SPA which leverages Keycloak for its SSO abilities using OpenID Connect (OIDC). The app is currently designed to use the Implicit flow to retrieve short-lived access ...
- 1,249
1
vote
0
answers
178
views
OpenID Connect - UserInfo endpoint Redundant?
Why would we use the userinfo endpoint in OpenID Connect to get information about the user when we can simply include that information in the access token?
The UserInfo Endpoint is an OAuth 2.0 ...
- 537
4
votes
1
answer
958
views
Multiple OAuth2 access_tokens on the same page
We have been tasked with implementing a dashboard containing multiple widgets. The dashboard itself and all widgets need to access various secured APIs. Our authorisation protocol is OpenID.
...
- 184
-1
votes
1
answer
553
views
How to manage user information with an external user database?
I'm developing an app suite that uses an OpenID Connect provider. But I guess my question works in all situations where there is a separate user info provider.
I persist which users create a given ...
0
votes
1
answer
437
views
Which OpenID flow should I choose?
I have simple REST API, based on Asp.Net Core technology.
Now, I want to add OpenID for this API.
API would be used from mobile applications, single page applications and possibly other API services ...
- 341
1
vote
1
answer
715
views
Does OpenID allow email address to be changed?
I am tasked to design an OpenID provider for the public facing applications of my company.
The idea is to authorize the user via an email/PW combination. The subject will be a GUID.
Should an user ...
- 131
2
votes
1
answer
3k
views
What OpenID Connect flow is right for me?
Here's the deal. I have a .NET MVC5 web application that I'm moving up to the OpenID Connect standard.
I also would like to be able to access controller methods from a mobile app (much like an API) ...
- 141
2
votes
0
answers
119
views
Switching between Azure Mobile Services vs my own implementation. Will UIDs change?
I'm looking at Azure Mobile Services, particularly the Authentication part (which I believe relies exclusively on OAUTH 1 or 2).
I want to make sure that my application isn't tightly coupled to the ...
- 6,080
24
votes
4
answers
7k
views
How should I architect a RESTful webservice to use 3rd party (i.e. Google, Facebook, Twitter) for authentication?
For my job we have a nice RESTful webservice we've built out that we use to drive a couple websites we have. Basically the webservice lets you create and work with support tickets, and the website is ...
- 363
6
votes
1
answer
1k
views
Authentication for users on a Single Page App?
I have developed a single page app prototype that is using Backbone on the front end and going to consume from a thin RESTful API on the server for it's data.
Coming from heavy server side ...
- 161
2
votes
1
answer
471
views
What's the benefit of Azure ACS if ASP.NET 4.5 includes OAuth and OpenID providers? [closed]
Azure ACS offers OAuth and OpenID providers, and now that ASP.NET 4.5 offers the same thing, without the added cost, is there any reason for a .NET developer to consider ACS?
(Disclaimer, I don't ...
- 6,080
3
votes
2
answers
303
views
Using Paypal (or similar) to log into my site?
I have a web site and I want to offer a few levels of service - one free, one for a one-off payment, and one for a subscription. My first inclination is to use Paypal for the payment options. I ...
- 1,949
8
votes
1
answer
490
views
Using OpenID to log into multiple domains: Is this plan feasable? [closed]
For example:
We're running a two community sites on two domains (call them example.com and example.net).
We want to be able to expand that to more domains later.
We want to allow multiple types of ...
- 1,182
2
votes
3
answers
193
views
OpenID and data espionage
This answer[link] to another question here talks about OpenID and data espionage. I quote:
[Data espionage] Why let them gather
the detailed statistics from many
consumer site and help them ...
- 137
1
vote
2
answers
320
views
Is it a good idea to implement OpenID services in internal and/or customer applications?
I've been discussing with my colleges about logging in by using your OpenID account, Google account etc. in our customers CMS and/or the internal systems we use, as we've had a few requests regarding ...
- 111
5
votes
1
answer
806
views
OpenID implementation - PHP, Javascript, MySQL
I've started doing some research on the technologies that I will need for my website.
I'm trying to implement a really simple website with OpenID user registration. The website will store a block of ...
- 53
31
votes
5
answers
3k
views
is OpenID really that bad?
I have seen this question on Quora where lots of people seem to agree that OpenID is bad, even going as far as stating that:
OpenID is the worst possible "solution" I have ever seen in my entire ...
- 441
5
votes
5
answers
374
views
Does anybody ever uses the OpenId url Log in?
As programmers I think we are the most inclined to use new technologies and things that are not so mainstream.
I absolutely love OpenId's ability to log in with credentials you already have, but I ...
