96votes
What is the purpose of identifier-first login screens?
This is common with federated identity systems where a service authenticates users from many identity providers. Your email address is used to look up which identity provider can authenticate you. ...
54votes
What is the purpose of identifier-first login screens?
The purpose of this is to redirect to the account's identity provider. However the use case is not selecting between personal login providers such as Facebook or Google. It's to support organisational ...
- 982
46votes
Is Password Hashing Bad?
This is a reasonable point being justified using incorrect claims. The issue here isn't about having users enter passwords. How do you think they're going to log in to Google/Facebook/any other third ...
- 58.1k
19votes
Is Password Hashing Bad?
The specific claim: "Password hashing is bad" is somewhat odd. If you are supporting passwords, hashing is pretty important. The more interesting and more contentious (based on the other ...
9votes
Is Password Hashing Bad?
I would agree in a kind of "if life were perfect" sense. If you rely on Google, FB or whatever and you can force that option on every one of your users, you never ever can be held ...
- 1,338
7votes
What is the purpose of identifier-first login screens?
I think this is used for when some logins may be forwarded to a seperate auth service. in this case you don't want to see the password at all. eg, say you allow the user to login to your site with ...
- 81.9k
7votes
What is the purpose of identifier-first login screens?
There might be more than one way to authenticate yourself to a service, especially at their scale. For example, Google lets you use your phone instead of a password, so that means that they'll want to ...
6votes
How to handle per-resource (fine grained) permissions in OAuth?
Eh, answering my own question... I followed up a bit more on UMA, and it seems to be indeed some kind of a possible solution: UMA seems to be a semi-official (or at least the only official-looking ...
- 361
6votes
Accepted
Is there a context in oAuth, reusable in the callback?
The state parameter: https://auth0.com/docs/secure/attack-protection/state-parameters You can use the state parameter to encode an application state that will put the user where they were before the ...
- 15.1k
4votes
Accepted
User identity and microservices
The usual approach is for the authentication service to issue the user a signed token. Other services can verify the signature to check that the token is genuine. The token then contains the user ID. ...
- 136k
4votes
Accepted
What is the point of the OAuth2 client identifier?
Suppose you are creating an application that accepts logins with either a Facebook account or a Google account. Both of those logins can be done with OAuth2. As part of the OAuth process, both ...
4votes
Is Password Hashing Bad?
In looking at this slide we should probably evaluate it against two scenario's: An average user with weak security (password re-use, dictionary passwords, no 2FA). A more security competent user (...
- 4,496
4votes
Next Auth Flow For Use with Ruby on Rails API
Welcome to SE.SE ! The flow for integrating OAuth-based authentication using JWT in a Next.js frontend with a Ruby on Rails backend API looks OK to me, but what follows is a few suggestions form ...
- 782
3votes
Should an SPA use OIDC's Implicit flow or Auth Code flow?
Nowadays the recommended approach is to use Authorization Code with PKCE (Proof Key for Code Exchange). The threat to be concerned about is leaking the access token from the URL - the URL is not a ...
- 1,748
3votes
How to use OAuth 2.0 roles and scopes to secure services
I think it is important to keep the bigger picture of federated identity and access control in mind. There is always a resource owner, a resource server and some client that wants to access resources ...
3votes
How are resource owner credentials stored in OAuth2
Should the OAuth2 authorization server be tied to my api (resource server) in some way that allows the authorization server to authenticate user's based on their username and password?... It ...
- 14.9k
3votes
What does Identity Server offer that ASP.NET Core Identity does not
Identity Server allows you to issue access tokens for APIs. In my experience, I've only seen it used when the application requires custom OAuth 2.0 authentication that cannot be provided by the ...
3votes
How Immadiately Blacklist and Block Access of Access Token using JWT?
That's actually one of the caveats of completely stateless JWTs. You cannot invalidate specific token. You may invalidate them all by changing your secret on the server, however this operation will ...
- 10.4k
3votes
Accepted
What's the point of logging in with oauth2 if it's a paid subscription site?
You are - to some extent - mixing up the concepts of Authentication and Authorization. Authentication [...] is the act of confirming the truth of an attribute of a single piece of data claimed true ...
- 2,434
3votes
Accepted
Customized access control using OAuth 2.0
here's a list of few things worth pondering: Resources are responsible for their own access control. The types of clients and use cases can inform how you want to break down or group together ...
- 146
3votes
Customized access control using OAuth 2.0
To add-on to this answer, the Authorization Server (AS) would need some way to model these Access Policies (i.e., "User 1 can access Dashboard on DC1 but not DC2", etc.) somehow. In my experience, ...
3votes
Accepted
How to combine session-based authentication and stateless REST API
So "standard, traditional, session-based" auth is a cookie on the client with a guid and an in memory database on the server which hold the data for that user "stateless, token-based authentication" ...
- 81.9k
3votes
Recommended strategy for maintaining a session when navigating from app to browser?
AFAIK there is no standard way of handling this kind of situation. However, if you do have access to the backend code (most of the off-the-shelf authentication solutions allow you to provide a ...
3votes
Accepted
Is it good practice to use the sub claim as the user_id in my app
The sub claim, per RFC7519, does indeed "identify the principal". However, its processing is "generally application specific". That means it's hard to reason about its behaviour ...
- 164
3votes
If my API depends on a third party OAUTH2 provider (Microsoft) - how do I write tests to test my API endpoints?
Basically, any external service must be faked in your tests. The reasons are many, but most importantly: a fake guarantees speed. fakes make it easier to write and maintain the tests. you dont need ...
- 204
3votes
Should SPA talk to auth server directly or resource server?
Either approach can be entirely reasonable. But I'm with you that it probably makes sense to integrate auth as an endpoint as part of your normal APIs, instead of presenting is as a separate server. ...
- 136k
2votes
Accepted
Does it make sense to create a whole new API interface to just handle the web secret key?
Your tl;dr version is "of course not", but the underlying issue here is a fundamental and very common misunderstadning of what secret really means in these contexts. First things first, ...
- 196
2votes
Multiple OAuth2 access_tokens on the same page
From a threat modeling perspective, it is not clear really what security benefit will you achieve by having each widget have its own token. So unless it can be demonstrated that there is a clear ...
- 3,264
2votes
Can I have a client-side-only web application keep OAuth tokens?
If my understanding is right, then it's not possible for me to make an application that uses OAuth and has no server-side component, because turning the auth code into an access token requires ...
2votes
Oauth2.0 implementation to be done client side or server side
It tends to depend on who is logging in. If the user is logging in, then you can do it client side. ie. Hit the auth server, enter the username and password, get the token, send the token to whatever ...
- 81.9k
Only top scored, non community-wiki answers of a minimum length are eligible
