Questions tagged [openid]
The openid tag has no usage guidance.
33
questions
0
votes
0
answers
52
views
Multi-tenant (realm based) REST Web API authentication
We're building a multi-tenant setup with a C# Web API and KeyCloak for auth and APISIX as application gateway. APISIX handles the authentication and passes an X-Access-Token to our API when ...
1
vote
1
answer
391
views
What goes in the access_token and what goes in the id_token?
I'm currently trying to build a very simple application for handling OpenID Connect using the library Openiddict. This library lets me construct the access_token and the id_token and lets me set which ...
0
votes
1
answer
302
views
Using Azure AD as an identity provider in Keycloak-based applications: how can I add missing user data to my client applications?
I'm currently using Azure AD as my identity provider and Keycloak as my intermediary/broker for my client applications. However, I need some user attributes (such as phone, email, picture, and ...
0
votes
1
answer
809
views
Session Handover via OpenID Connect between a Mobile Application and a Website?
I am trying to assess secure ways to implement a session handover between an app and a website in the same company ecosystem.
The Setup
Mobile Application A and Website B use the same company OpenID ...
1
vote
0
answers
36
views
Two step provisioning using OIDC and AD?
A client requested that we implement the following authentication/authorisation flow:
User authenticates using OIDC via a IAM (Salesforce in this case).
If user is an external user, then a flag is ...
2
votes
1
answer
304
views
Is it good practice to use the sub claim as the user_id in my app
The resources on the web I have seen so far suggest that the 'sub' claim in a JWT identifies the principal.
According to this question, at least for some identity provider implementations, one cannot ...
1
vote
1
answer
426
views
Passing an OAuth Token between services with Zero Trust and audience checks
Let's say, we're using an OAuth / OpenID Connect (OIDC) flow (in a Zero-Trust situation) to secure two APIs: ServiceA and ServiceB. To implement some of the functionality of ServiceA, it depends on ...
1
vote
0
answers
71
views
In OAuth / OpenID Connect, does the redirect url matter for server to server API calls?
In OAuth / OpenID Connect, does the redirect url matter for server to server API calls?
I'm currently setting up Azure AD to secure our API's. The first implementation will likely only be server to ...
2
votes
1
answer
265
views
Chaining openID token
I'm working in microservices environment, where each service authenticates using OpenID Connect to an authentication service (local IdP), based on Users I keep locally on my Database.
Now, I want ...
1
vote
0
answers
98
views
Grant type/flow to use for multitenant application
Let's image we have a multitenant(organization) application having a separate database per tenant(organization).
The core of the application is a REST api service protected by an authorization ...
1
vote
2
answers
8k
views
How to keep user logged in when using OpenID Connect & Cookies in dotnet core?
I'm working on an OpenID Connect Hybrid flow, basically the response type in my case is: code id_token
Problem: I can't seem to persist the session of the user when logged in using the id_token.
I ...
8
votes
3
answers
10k
views
Is caching Access Tokens on the back end of a Web Application a good idea? (access_token storage best practices)
Let's suppose we have a Web Application that uses an Open Id Connect service provider, the Web Application uses the Authorization Code flow to get access to a different API, and therefore gets an ...
0
votes
4
answers
890
views
Open ID Connect Session Management Access/Refresh Token vs Session iFrame
We have a web app in which we allow users to log into the app using any Open ID provider(e.g. Okta, Google, Facebook etc.). We want to implement the correct Open ID Connect prescribed methodology/...
4
votes
2
answers
836
views
Integration with multiple SSO's
Currently, we had a web app that integrated with SSO through Open-Id protocol
Then we got another client that had it's own SSO and need us to integrate with their SSO through SAML protocol so their ...
6
votes
1
answer
1k
views
Client generated JWT
I'm working with a 3rd party company who are providing an API along with an unusual security approach.
The security approach is essentially using a JWT by itself (no oauth). What's odd is that they'...