Questions tagged [oauth2]
OAuth2 is the industry-standard protocol for access delegation, commonly used to grant applications access to user information on other applications without giving them the passwords. Not backward compatible with OAuth 1.0
441
questions
1
vote
0
answers
40
views
Is there any security risks for hosting Oauth redirect URI script in an unauthenticated endpoint?
I'd like to know if in PKCE Oauth (authorization code) flow, hosting a redirect URI in public CDN would introduce any security risks?
3
votes
1
answer
124
views
why there is a need to use two access tokens in OpenID Connect?
according to https://darutk.medium.com/diagrams-of-all-the-openid-connect-flows-6968e3990660
there are two access tokens, one from Authorization endpoint and one from Token endpoint, which is kind of ...
2
votes
1
answer
398
views
Why redirect_uri is needed when client_id is supplied in OAuth2?
we know that we need to pass both client_id and redirect_uri in the authorization request.
https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow#step-1-get-the-users-permission
But isn't that ...
1
vote
1
answer
145
views
Security doubts around the refresh token and how it works
I am trying to understand how refresh tokens and access tokens works, and I ready several threads and documentations. It seems that I am not the only one confused around this topic.
Based on this ...
0
votes
1
answer
72
views
Best Practices for how to implement in-app user account switching
I am a developer responsible for mobile app and a couple of SPA web apps. Our customers are organizations ("tenants") with multiple users. Our authentication is built on OAuth2 (OpenID ...
0
votes
1
answer
73
views
How OpenID over OAuth 2.0 can be trusted?
I am trying to implement "Login with Google/Apple etc..." on a web platform and I can't wrap my head around how you can trust the response that supposedly comes from the resource server ...
1
vote
1
answer
60
views
Why do OAuth2 PKCE authorization codes have client_id?
If I'm understanding OAuth2 PKCE right, it is to be used in cases where a client cannot be trusted to hold onto a client secret. I also understand (reading RFC 6749) that a client id is not a secret.
...
0
votes
0
answers
64
views
Can the state and nonce have the same value?
I understand the different purposes the two parameters serve, but is there anything speaking against the state and nonce parameters being the same string?
2
votes
0
answers
184
views
Analyzing impact of leaked client_secret in Authorization Code Flow in Keycloak (CVE-2020-27838)
CVE-2020-27838 describes that Keycloak has an open endpoint where it's possible to obtain client_secret information, as shown in the example below:
/auth/realms/{realm}/clients-registrations/default/{...
0
votes
0
answers
58
views
OAuth2 System Design for Single Sign-On | Auto-Detect Session?
I'm working on configuring my suite of services (in different domains) so that they can all be accessed via Single Sign-On. I'm using AWS Cognito as a wrapper around a SAML Idp (Azure AD).
What I ...
1
vote
0
answers
119
views
OAuth2 OpenID Connect Third Party Initated Login with implicit flow
I'm working within a spec that uses the OpenID Connect third party initiated login + implicit flow. I first have to register my application with the third party, providing them a login initiation url, ...
1
vote
0
answers
87
views
Risks with having a "localhost" service configured on a production SAML/OAuth/OIDC Identity Provider
To help developers with integrating with our SAML/OAuth/OIDC Identity Provider on their local dev environments, I'm thinking about configuring a demo client/app in our production IdP that has ...
1
vote
0
answers
152
views
Session/cookie expire time, match access token or refresh token from AD?
I am tasked with moving away from implicit flow in a SPA. It is a basic solution consisting of a react SPA and a .net API, on the same domain. This web app is a case management solution that deals ...
0
votes
0
answers
87
views
Is the OAuth client secret sent for every API call along with the access token?
Does the OAuth client attach the client secret along with the access token for each API call to the resource server ?
0
votes
1
answer
288
views
Best practises regarding authentication in SPA/API solutions with SSO
There is really not that great information on what the best practices are for auth in SPA/API solutions. Most of them just say use JWTs and auth code flow in the SPA. There is a ton of information ...