Skip to main content
The 2024 Developer Survey results are live! See the results
Information Security

Questions tagged [oauth2]

Ask Question

OAuth2 is the industry-standard protocol for access delegation, commonly used to grant applications access to user information on other applications without giving them the passwords. Not backward compatible with OAuth 1.0

441 questions
Newest Active Bountied Unanswered
1 vote
0 answers
40 views

Is there any security risks for hosting Oauth redirect URI script in an unauthenticated endpoint?

I'd like to know if in PKCE Oauth (authorization code) flow, hosting a redirect URI in public CDN would introduce any security risks?
Simol's user avatar
Simol
  • 121
3 votes
1 answer
124 views

why there is a need to use two access tokens in OpenID Connect?

according to https://darutk.medium.com/diagrams-of-all-the-openid-connect-flows-6968e3990660 there are two access tokens, one from Authorization endpoint and one from Token endpoint, which is kind of ...
secondimage's user avatar
secondimage
  • 153
2 votes
1 answer
398 views

Why redirect_uri is needed when client_id is supplied in OAuth2?

we know that we need to pass both client_id and redirect_uri in the authorization request. https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow#step-1-get-the-users-permission But isn't that ...
secondimage's user avatar
secondimage
  • 153
1 vote
1 answer
145 views

Security doubts around the refresh token and how it works

I am trying to understand how refresh tokens and access tokens works, and I ready several threads and documentations. It seems that I am not the only one confused around this topic. Based on this ...
anonymous's user avatar
anonymous
  • 67
0 votes
1 answer
72 views

Best Practices for how to implement in-app user account switching

I am a developer responsible for mobile app and a couple of SPA web apps. Our customers are organizations ("tenants") with multiple users. Our authentication is built on OAuth2 (OpenID ...
mikejonesguy's user avatar
mikejonesguy
  • 101
0 votes
1 answer
73 views

How OpenID over OAuth 2.0 can be trusted?

I am trying to implement "Login with Google/Apple etc..." on a web platform and I can't wrap my head around how you can trust the response that supposedly comes from the resource server ...
qUneT's user avatar
qUneT
  • 3
1 vote
1 answer
60 views

Why do OAuth2 PKCE authorization codes have client_id?

If I'm understanding OAuth2 PKCE right, it is to be used in cases where a client cannot be trusted to hold onto a client secret. I also understand (reading RFC 6749) that a client id is not a secret. ...
Cort Ammon's user avatar
Cort Ammon
  • 9,416
0 votes
0 answers
64 views

Can the state and nonce have the same value?

I understand the different purposes the two parameters serve, but is there anything speaking against the state and nonce parameters being the same string?
pfranjic's user avatar
pfranjic
  • 1
2 votes
0 answers
184 views

Analyzing impact of leaked client_secret in Authorization Code Flow in Keycloak (CVE-2020-27838)

CVE-2020-27838 describes that Keycloak has an open endpoint where it's possible to obtain client_secret information, as shown in the example below: /auth/realms/{realm}/clients-registrations/default/{...
Marcus's user avatar
Marcus
  • 21
0 votes
0 answers
58 views

OAuth2 System Design for Single Sign-On | Auto-Detect Session?

I'm working on configuring my suite of services (in different domains) so that they can all be accessed via Single Sign-On. I'm using AWS Cognito as a wrapper around a SAML Idp (Azure AD). What I ...
Ryan Pierce Williams's user avatar
Ryan Pierce Williams
  • 101
1 vote
0 answers
119 views

OAuth2 OpenID Connect Third Party Initated Login with implicit flow

I'm working within a spec that uses the OpenID Connect third party initiated login + implicit flow. I first have to register my application with the third party, providing them a login initiation url, ...
ETLJ's user avatar
ETLJ
  • 11
1 vote
0 answers
87 views

Risks with having a "localhost" service configured on a production SAML/OAuth/OIDC Identity Provider

To help developers with integrating with our SAML/OAuth/OIDC Identity Provider on their local dev environments, I'm thinking about configuring a demo client/app in our production IdP that has ...
xsrf's user avatar
xsrf
  • 178
1 vote
0 answers
152 views

Session/cookie expire time, match access token or refresh token from AD?

I am tasked with moving away from implicit flow in a SPA. It is a basic solution consisting of a react SPA and a .net API, on the same domain. This web app is a case management solution that deals ...
ryansan's user avatar
ryansan
  • 113
0 votes
0 answers
87 views

Is the OAuth client secret sent for every API call along with the access token?

Does the OAuth client attach the client secret along with the access token for each API call to the resource server ?
termcap's user avatar
termcap
  • 41
0 votes
1 answer
288 views

Best practises regarding authentication in SPA/API solutions with SSO

There is really not that great information on what the best practices are for auth in SPA/API solutions. Most of them just say use JWTs and auth code flow in the SPA. There is a ton of information ...
ryansan's user avatar
ryansan
  • 113

15 30 50 per page
1
2 3 4 5
30