Questions tagged [authentication]
Authentication is the act of one entity proving its identity to another entity. Common examples involve public key cryptography. For example, proving that a banking web site actually belongs to the bank you think it does.
438 questions
1
vote
1
answer
212
views
Prevent unregistered users from accessing the system using JWT?
I am working on an identity and users service in a microservices system for which a passwordless, SMS-based authentication is a hard requirement, i.e.
User enters their phone number
System sends the ...
- 227
6
votes
2
answers
1k
views
How dangerous is storing sensitive information in LocalStorage?
Since I started studying security in web applications, it seems that everyone always says to never store sensitive information (e.g., refresh tokens, access tokens, and so on) due to the risk of ...
- 165
3
votes
4
answers
417
views
Does possession of a valid JWT automatically imply the user is authenticated?
I am tasked with implementing authentication and authorization in a distributed environment, so I plan to use JWT.
I get how authorization works with JWT - if the token is not expired, and the ...
- 227
4
votes
3
answers
227
views
Achieving Multitenancy with an External Identity Provider
We are designing a backend system for a large platform where users can interact with multiple products on behalf of different companies.
We plan to use Keycloak as an external identity provider. The ...
- 165
2
votes
3
answers
421
views
Handling authorization and authentication with an API gateway
Recently, I’ve found myself designing a microservices system, and I’m currently facing some challenges with authentication and authorization.
Context
All my microservices will be placed behind an API ...
- 165
2
votes
0
answers
161
views
Invalidate session for user in authentication
when user login in my web application (Article Website) I'm using Redis to cache the refresh token. So when user login I will generate refresh token and send it to him. While caching in my Redis the ...
- 21
1
vote
1
answer
102
views
What type of authentication/identification is needed?
The specs:
Mobile apps
LLM wrapper (of e.g. OpenAI API)
The chat history will be stored on the client
Backend is needed to manage the api key and to track token consumption / payment (how many tokens ...
- 391
0
votes
2
answers
108
views
Using unique attributes for user login
Suppose a user can have multiple emails. A given email may be held by at most one user.
Is email a good pick for login purposes (so that it's used instead of the username)? Should an authentication ...
- 2,030
1
vote
2
answers
267
views
API supporting multiple authentication providers?
I am currently looking at building an API server that will support multiple authentication providers (Google, GitHub, Keycloak, etc) and I am trying to work out what’s a good way to go about it. Two ...
- 119
3
votes
1
answer
116
views
Is there a context in oAuth, reusable in the callback?
I am developing a home-grade web application (server-client, based on Nuxt and nuxt-auth-utils). I am using the opportunity to learn something about oAuth (and OpenID).
One of the issues I face is ...
- 1,661
3
votes
2
answers
510
views
Why do I need an authorisation server if my micro services can validate JWTs directly?
I'm working on a Spring-based micro service project and considering different approaches for handling authentication and authorization. Instead of setting up a dedicated authorization server, I'm ...
- 59
-1
votes
1
answer
189
views
Which authentication method to use?
I have a REST API with protected endpoints, which require an AccessToken for access. For the user to receive the AccessToken, they need to access the login endpoint and with the correct credentials (...
- 11
4
votes
1
answer
179
views
Next Auth Flow For Use with Ruby on Rails API
I plan to have a frontend web app written with Next.js using the AuthJS library to provide user authentication using Oauth. This frontend application depends on a backend API. I want to make sure my ...
- 149
0
votes
1
answer
120
views
Database structure for two-step registration flow
I'm trying to design a database for supporting a multi-step registration flow. The registration flow goes like this: the user logs in via OAuth (which creates a session and user), then they're asked ...
- 123
0
votes
0
answers
103
views
Edge Case For Cookie Based Token Management
I have a React frontend and a Nodejs backend that uses authentication via an OIDC service provider. After a user goes through the SSO authentication flow I store the token (containing a refresh token ...
- 9
2
votes
3
answers
1k
views
Race condition when issuing a refresh token: worth addressing or not?
I'm quite new to the world of access and refresh tokens, so bear with me.
Client uses its refresh token to get a new access token.
The server invalidates the just used refresh token and contextually ...
- 125
0
votes
1
answer
68
views
Best way to approach connection between game server to client connection with Django web server as middleman
I have a web game design question. I am trying to build a multiplayer web game with non-intensive graphics (ex tic-tac-toe, chess). I am trying to figure out how to take already authenticated users in ...
1
vote
1
answer
218
views
Necessity of one-time codes in 2FA
Why is it that some services, when they conduct 2FA ask you to rewrite a code from an app, even if that app is part of that service's infrastructure? For example, when I log in via the web to ...
- 21
3
votes
2
answers
881
views
How does "remember this computer" work?
Website multifactor authentication prompts will often include a "remember this computer" checkbox. How does this work?
In order to be secure, it needs to be more than just a cookie, as a ...
- 476
0
votes
1
answer
141
views
Designing a restful API for a desktop application to facilitate communication with other APIs
Just for some context, I am a CS student in my second-year who is working on a C++ desktop application (using the Qt framework) made by an engineering professor.
The application is an educational tool ...
- 1
0
votes
1
answer
170
views
Authorization business logic on claims or on app database?
Context: I have an API (using DDD) with an entity lets call it "Content" that only can be update by certain users.
For example Content with Id = 1, can only be modified by User Id = 1, ...
0
votes
1
answer
59
views
Is using an Azure Function to forward a message to my App Service the best idea for handling a Twilio Web Hook?
I have an Azure App Service running a .NET (Core) API for an inhouse application, which I'm integrating with Twilio to handle Whatsapp communication.
To handle the web hook responsible for receiving a ...
- 141
2
votes
1
answer
91
views
Azure Managed Identity and Zero Trust
Azure Managed Identity provides a mean to only allow explicitly defined users/apps to access a given resource. For instance I can setup that no-one can access my database except the Managed Identities ...
1
vote
2
answers
419
views
How to best obfuscate a built-in key in an application?
We're building an application that needs to log into a website using built-in credentials. It's not optimal to say the least, but we're stuck with "knowing" the username and password ...
- 493
0
votes
0
answers
141
views
Securely Handling Session Keys in Excel for API Authentication
I'm working on an Excel tool that needs to synchronize with a CRM via its API. The CRM's API authentication process involves logging in with a username and password, after which a session key is ...
1
vote
0
answers
74
views
How to merge SQL Server database authentication with firebase authentication?
I have Firebase connected to my web app and users can authenticate using the 'microsoft' provider. The provider only allows authenticating with the active directory tenant that I specified in my ...
- 19
1
vote
1
answer
87
views
Persistant Browser Display Settings for Users
I have a question about what's the best approach to handle persistent data for web apps.
I have a web app that is authenticating through an auth service. once authenticated it makes requests to the ...
- 13
2
votes
1
answer
224
views
web-dev: how to restrict access to costly backend API to authenticated clients only
I've created a small prototype browser plugin and am now thinking about making it accessible to the public. This brings up an important question about gatekeeping API access and the right way to ...
- 446
0
votes
0
answers
223
views
JWT Cookie and API Gateway
Background
I have an authentication microservice that handles the user authentication and returns 2 JWT cookies (access_token and refresh_token).
I want to incorporate an API gateway that does the JWS ...
- 9
-1
votes
1
answer
115
views
How are first-time users signup requests authenticated?
I have a web service. When a user makes a request, traefik first redirects it to my users micro service, to pass through an authentication function.
The token (or username+password, on first request) ...
- 143
1
vote
0
answers
212
views
OpenID Connect and User Management Best Practices
Currently my company has 2 applications that use Identity Server for SSO. Not every client we have uses both applications but some do. The part I'm uneasy about is that both apps have a user ...
- 146
18
votes
9
answers
5k
views
Authentication and authorisation for people with intellectual disabilities
Currently, I'm involved in a research project in which we are evaluating an existing web environment providing a safe online playground for children/adolescents with intellectual disabilities. Certain ...
- 349
5
votes
3
answers
1k
views
Group set of commands as atomic transactions (C++)
We're designing the architecture of an embedded device (esp32). One of the tasks is that the device should connect to the internet and use a preprovisioned redeem code to register itself with our web ...
- 493
2
votes
1
answer
132
views
Is my security pattern correct for authenticating principal users to my microservices?
We are trying to implement an authorization and authentication service for our product.
Now, we would have to cater to different kinds of IAM systems like SSO, LDAP and Basic Username+Password in ...
- 29
-1
votes
1
answer
148
views
What is the best way to authenticate a user over IVR?
I am trying to build an IVR system that requires some form of username & password/pin entry to access sensitive data. My naïve solution seemed obvious enough, until I realized that username/pass ...
- 579
0
votes
1
answer
382
views
Using Azure AD as an identity provider in Keycloak-based applications: how can I add missing user data to my client applications?
I'm currently using Azure AD as my identity provider and Keycloak as my intermediary/broker for my client applications. However, I need some user attributes (such as phone, email, picture, and ...
- 121
0
votes
1
answer
75
views
Including currect user/roles data within object state in .Net applications to control object behavior
I am building a .Net Core Blazor Server application. The application creates records of a Project class which move through a workflow with various phases of review and acceptance/rejection before ...
- 111
0
votes
1
answer
187
views
How can a web application distinguish between sessions from trusted and non-trusted devices?
For compliance reasons, we want admins of a web app to work on it from devices (phones or computers) approved by IT. Or rather, they can work from other devices, but should get logged out quickly, so ...
- 1,477
0
votes
0
answers
283
views
How can I secure the backend in a meaningful way when users log in via OAuth2 in the frontend?
I'm thinking about a rewrite of a existing application. This legacy application does not separate frontend and backend. It's a single application with server side rendering.
I want to rewrite it to a ...
- 121
0
votes
0
answers
68
views
API authentication for iOS applications
I am currently working on my own iOS application and am going to be using a locally developed API for fetching data. I wanted to outline my current account sign-in architecture and verify this is ...
- 17
0
votes
1
answer
2k
views
Can I use a session cookie for API authentication?
I want to build a web application with a Single Page Application as the front end and an API as the back end. The front-end SPA will read and write data to the API.
The SPA and the API will be hosted ...
- 101
0
votes
0
answers
184
views
WebApp: How and where to handle an expired authorization with 'back to login'
SituationI have a Single page web app with REST API. When the user logs in, they receive an authorization token. The token which will expire after some time.
When the user tries to make a server ...
- 286
0
votes
2
answers
174
views
OAuth Client Credentials Security Concern
I have a scenario I am considering, and I don't quite find out what's the best solution with OAuth. Hopefully I can learn good things here.
We are company A and we specialize in managing secure text ...
- 407
1
vote
0
answers
1k
views
Authorization using Azure AD B2C access tokens in Python / Flask
TLDR:
I am trying to
validate a Azure AD B2C access token in my Flask web API
use scopes from that access token to authorize calling protected resources
use timely and secure solutions such as PKCE ...
- 121
0
votes
5
answers
912
views
Authentication for an app that only has one user
I'm going to write a blog app for myself, and though I've written authentication for multiple users. It seems heavy handed to use the same kind of architecture for one user.
The only alternatives to ...
- 111
1
vote
1
answer
763
views
Any way to forward an auth session from OAuth system to another system (with API key)?
Description
This is a long shot, but I'm in dire need of advice. If you know of a more appropriate forum for this type of question please share!
I'm working with a legacy OAuth system using email + ...
- 11
3
votes
2
answers
3k
views
Oauth 2.0 - MFA for REST APIs
We are looking at implementing Multi-factor authentication for our application, using Time-based one-time password (TOTP) algorithm.
What we want to achieve:
Users should have the option to enable ...
- 133
-1
votes
1
answer
283
views
iOS application token auth best practices
I am looking into building an iOS application and using an internally built API to access data. My API has some authentication endpoints that takes in a username and password and, if the login is ...
- 17
0
votes
0
answers
221
views
What is the right way to update claims in identity-server 4 from Angular
I have a multitenant application where a user can belong to multiple tenants. I'm using Identity-Server 4 for the authentication.
I have two applications Angular and API. When a user is not ...
- 109
0
votes
1
answer
229
views
Should an access token really be cryptographically signed?
In a web app I'm writing, a singed-in user is recognized by their cookie containing a session identifier. That session id has sixty-four bits of entropy, so I believe brute-force attacks are ...
- 113