Questions tagged [oauth2]
The oauth2 tag has no summary.
116 questions
6
votes
2
answers
1k
views
How dangerous is storing sensitive information in LocalStorage?
Since I started studying security in web applications, it seems that everyone always says to never store sensitive information (e.g., refresh tokens, access tokens, and so on) due to the risk of ...
- 165
3
votes
1
answer
116
views
Is there a context in oAuth, reusable in the callback?
I am developing a home-grade web application (server-client, based on Nuxt and nuxt-auth-utils). I am using the opportunity to learn something about oAuth (and OpenID).
One of the issues I face is ...
- 1,661
4
votes
1
answer
179
views
Next Auth Flow For Use with Ruby on Rails API
I plan to have a frontend web app written with Next.js using the AuthJS library to provide user authentication using Oauth. This frontend application depends on a backend API. I want to make sure my ...
- 149
0
votes
0
answers
102
views
How to store OAuth2.0 tokens without any authentication logic on the backend
I was looking for some advice as I am tipping my toes into the world of web development, the question might be broader than the title suggests, so any tip that may be in a different direction is also ...
- 1
0
votes
0
answers
94
views
Utilising Social Logins via OAuth2 in native mobile apps
This question has been asked over and over again, but I have not yet found a satisfying answer:
How to use Social Logins (via OAuth2) to obtain access tokens for your backend if your only clients are ...
- 9
1
vote
1
answer
160
views
Security: Send CompanyId on the http header
I have a web app which authenticates the user using an external identity provider (Microsoft Entra with MSAL library).
This give us an access token to access our API.
After authentication (so, we ...
- 121
10
votes
8
answers
7k
views
Is Password Hashing Bad?
In software design and security, why would it not be a good idea for users to send you their passwords and it would be a better idea to delegate: use public-key auth or logging in with one of these: ...
- 527
-2
votes
1
answer
656
views
I have a SPA using Azure AD Auth Code with PKCE flow and I'm trying to implement token exchange/on-behalf-of flow
I have an angular SPA that runs in an office add-in (word) that I need to authenticate against Azure AD using Oauth2, consume resources from multiple apis and make graph calls. I have been successful ...
1
vote
0
answers
212
views
OpenID Connect and User Management Best Practices
Currently my company has 2 applications that use Identity Server for SSO. Not every client we have uses both applications but some do. The part I'm uneasy about is that both apps have a user ...
- 146
0
votes
1
answer
382
views
Using Azure AD as an identity provider in Keycloak-based applications: how can I add missing user data to my client applications?
I'm currently using Azure AD as my identity provider and Keycloak as my intermediary/broker for my client applications. However, I need some user attributes (such as phone, email, picture, and ...
- 121
0
votes
0
answers
283
views
How can I secure the backend in a meaningful way when users log in via OAuth2 in the frontend?
I'm thinking about a rewrite of a existing application. This legacy application does not separate frontend and backend. It's a single application with server side rendering.
I want to rewrite it to a ...
- 121
0
votes
1
answer
166
views
Should SPA talk to auth server directly or resource server?
I have an angular based SPA, and backend resource server is written in springboot. I have integrated keycloak to provide OIDC support. Currently the app talks to auth server for login, (supplies ...
- 109
0
votes
2
answers
174
views
OAuth Client Credentials Security Concern
I have a scenario I am considering, and I don't quite find out what's the best solution with OAuth. Hopefully I can learn good things here.
We are company A and we specialize in managing secure text ...
- 407
3
votes
2
answers
3k
views
Oauth 2.0 - MFA for REST APIs
We are looking at implementing Multi-factor authentication for our application, using Time-based one-time password (TOTP) algorithm.
What we want to achieve:
Users should have the option to enable ...
- 133
0
votes
0
answers
85
views
How to authenticate client and user
I could use some feedback on designing a solution for handling two OAuth flows in a single request.
I have an API that currently supports OAuth2.0 (for users).
It was requested that we should be able ...
1
vote
1
answer
536
views
Testing API with Auth0-enabled user authentication and authorization
I have a REST API and a SPA application, with Auth0 server issuing access tokens and enabling end users to login with their social identity provider. The API expects to receive a JWT access token with ...
- 113
1
vote
1
answer
136
views
Am I understanding OAuth2 correctly and is what I am trying to achieve possible?
I am creating a web application which has three distinct components as far as I understand. A Nuxt frontend, and Spring Boot backend and Google OAuth2 for authentication using OpenID Connect. Nuxt can ...
- 21
3
votes
0
answers
94
views
OAuth2 access_token for resource server in case of external identity provider
I would like to ask a question about OAuth2 with an external identity provider.
Assume a scenario with the following roles: Client A, Resource Server B, Identity Provider C. Furthermore assume that ...
- 689
1
vote
2
answers
547
views
If my API depends on a third party OAUTH2 provider (Microsoft) - how do I write tests to test my API endpoints?
this is a followup question to the following StackExchange question -
If you had a medium size company, several developers - but zero tests written in your REST API's - where would you start?
At the ...
- 309
2
votes
1
answer
1k
views
Secure way of storing client secrets in Xamarin / Android mobile apps
What would be a secure way of storing client secrets used for authentication (webservices) in Xamarin/Android apps ?
Secure Storage, which interacts with Android Keystore, seems very useful for ...
- 29
0
votes
1
answer
1k
views
Refresh Token Storage on cloud best practice?
Background
I am building a web app that allows the user to integrate with multiple services like Google, Twitter, Github etc. using OAuth2.0.
Currently, I retrieve the refresh token on sign-in to ...
- 101
0
votes
1
answer
348
views
Securing a SPA's API when using external identity providers
I'm trying to understand OAuth and Securing APIs better when using External Identity Providers, and all my research on it doesn't really seem to apply to my issue, so I'm starting to wonder if I'm ...
- 3
0
votes
0
answers
74
views
Synchronising OIDC Provider and User Table
I asked this question on SO which is related to this.
In this question, I propose exchanging a token from my OIDC provider for a token in my own custom OIDC provider, which becomes the ultimate token ...
- 685
0
votes
0
answers
51
views
Autherization flow - one party accessing another party as third party - is this a correct way to do so?
I've been suggested an authorization flow between three parties that seems not secure to me, and I would like to know if I'm assuming correctly.
Let's say Party A has many customers (one of them let's ...
- 107
75
votes
4
answers
11k
views
What is the purpose of identifier-first login screens?
Companies like Google and Microsoft use identifier-first screens: where you provide your identifier (like an email) before providing the password.
Why is this done, is this somehow more secure?
I'm ...
- 685
-2
votes
1
answer
158
views
Authentication solution for custom PHP-based API
Here is description of my app I'm working on. On the client-side (index.html) a user can interact with a data. When he needs to call a server operation for example reading or writing a file on the ...
- 99
6
votes
1
answer
414
views
Is it possible to use a reverse proxy authentication in a native mobile app
We have a few backend services that our frontend SPAs fetch data from. Right now, the SPAs use JS libraries to authenticate with the Auth server (Azure AD) which returns a JWT which is validated by my ...
2
votes
1
answer
651
views
Is it good practice to use the sub claim as the user_id in my app
The resources on the web I have seen so far suggest that the 'sub' claim in a JWT identifies the principal.
According to this question, at least for some identity provider implementations, one cannot ...
- 23
1
vote
0
answers
99
views
In OAuth / OpenID Connect, does the redirect url matter for server to server API calls?
In OAuth / OpenID Connect, does the redirect url matter for server to server API calls?
I'm currently setting up Azure AD to secure our API's. The first implementation will likely only be server to ...
- 226
1
vote
1
answer
477
views
How to secure messaging-based communication with microservices
I'm comfortable with a lot of OpenID Connect and OAuth2 concepts in the context of HTTP-based communication between microservices. I'm currently leveraging Azure AD.
In the HTTP-based scenario I would ...
- 13
0
votes
1
answer
84
views
OAuth2 not implicit flow, POST username and password
I am a mobile dev, now for a project need to authenticate with a backend service using identityserver4 and OAuth2.
The project has things set up so it is using OIDC for authentication.
BUT
It is on a &...
- 840
1
vote
2
answers
814
views
Recommended strategy for maintaining a session when navigating from app to browser?
We have an SSO application that provides authentication for a native mobile application, as well as for a web application. There are some features that the web application has that the mobile ...
- 111
1
vote
0
answers
43
views
How to integrate multiple services via API's into a single dashboard on a per-user basis with SSO?
so my project is that I'd like to pull data from a bunch of different services/API's and show them in a single dashboard. SSO is a requirement so I want to make sure the user doesn't have to put in ...
- 111
-1
votes
1
answer
2k
views
Best way to store Session token on mobile App
Background
Building a mobile App for product X which is currently hosted as a SaaS solution. The product X does not support OAuth currently, implements basic authentication and generates Session token ...
- 99
0
votes
1
answer
177
views
How should I distribute my app with my own OAuth2 client ID, without letting anyone find it out?
I've written an app using golang which uses OAuth2(Authorization code flow with PKCE) to interact with the Gmail API.
If I build the app using my own client ID then my client ID can easily be found ...
- 101
2
votes
0
answers
119
views
Api Authorization for first party apps and third party apps
I have a few microservices that i would like to combine in form of an api. The main purpose of the api is to be used by our (first party) mobile app. A side note, we don't have a mobile app or web app ...
- 121
2
votes
1
answer
177
views
Handling OAuth 2.0 access token
I am creating a rest template to consume REST API secured by OAuth 2.0.
The provider has implemented an expiry for the access token for 5 mins. So Using the rest template, I will be calling the ...
- 181
2
votes
1
answer
844
views
Delegating authorization across multiple API's
I'm building a multi-tenant system that consists of one (SPA) client, calling multiple API's, all under my control.
User authentication is done with OpenID Connect, I'm sending an ID and access token ...
- 129
1
vote
0
answers
95
views
Handling 3rd party OAuth2 tokens
After some extensive research I still don't know how to properly implement the following case. I think this question answers something similar, but I'm not 100% sure (Should client have access to 3rd ...
- 111
3
votes
3
answers
414
views
Auth in microservices applications with service mesh
Premise:
- Two services A and B
- Resource X has owner U, and is managed by service B
Now, I need to handle these auth scenarios:
1- End-user needs to directly use service B's API to access X
2- ...
- 139
2
votes
3
answers
2k
views
Securing API for third party use
We have a set of microservices and would like to expose endpoints from a subset of these for third parties to use. To this end, we will build an API Gateway that acts as the access control mechanism ...
- 185
2
votes
1
answer
1k
views
What is the point of the OAuth2 client identifier?
The entire explanation of the client ID from RFC 6749:
The authorization server issues the registered client a client
identifier -- a unique string representing the registration
information provided ...
- 11.6k
0
votes
0
answers
199
views
oauth2 + angular - Most elegant way to pass the JWT auth token
I have an angular application, which is querying an API as a client (written on Spring Boot 2.2.1 + Spring 5.2.1) that supports 3rd party authentication over OAuth2. The API has altogether 3 different ...
- 101
4
votes
2
answers
3k
views
How to combine session-based authentication and stateless REST API
What is the proper way of combining session-based authentication with stateless, token-based authentication for a REST API?
Use case:
User logs-in in the standard, traditional, session-based way. ...
- 51
2
votes
2
answers
93
views
Customized access control using OAuth 2.0
I'm designing a enterprise infrastructure monitoring application which has customized needs of access control, beyond roles and authorities.
The architecture include multiple nodes of REST API being ...
- 55
-1
votes
1
answer
59
views
Oauth in Microservices context
I'm trying to implement an oauth2 server to protect the endpoints developed in php. I have some confusions of how would be the flow to protect my endpoints.
I understand that my resource server should ...
- 111
2
votes
0
answers
66
views
Architecting OAuth2 Flow With an API and Static JS Client
I'm building a very security conscious application. (All applications should be security conscious, but this one may contain a lot of red data).
Assuming that I will use a Vue/React JavaScript Single ...
- 211
0
votes
1
answer
245
views
How to dynamically create and assign user permissions for a group based service
tldr: In building a platform where users can create private groups, and invite other people to those private groups, how is it be to secure those groups?
I'm building a platform around private groups ...
- 131
1
vote
2
answers
9k
views
How to keep user logged in when using OpenID Connect & Cookies in dotnet core?
I'm working on an OpenID Connect Hybrid flow, basically the response type in my case is: code id_token
Problem: I can't seem to persist the session of the user when logged in using the id_token.
I ...
- 99
0
votes
1
answer
1k
views
What's the point of logging in with oauth2 if it's a paid subscription site?
I understand what oauth2 is and I've programmed it in one of our projects. The point was to pull user's data from an oauth2 provider (facebook, google, etc.) to our application (for example, the user'...
- 113