Questions tagged [oauth2]
OAuth2 is the industry-standard protocol for access delegation, commonly used to grant applications access to user information on other applications without giving them the passwords. Not backward compatible with OAuth 1.0
459 questions
1vote
1answer
73views
How to map refresh token, stored server side in the client app, to a specific user?
My app so far was using only access tokens. And whenever the token expired, the user had to log-in again. That's the reason I want to start using refresh tokens. They can apparently be stored server ...
2votes
1answer
121views
Is it okay to use an expired access token to look up its corresponding refresh token?
setup I have inherited this infrastructure setup app A handles the frontend. The server is very small and it mainly just calls app B. app B is an API server. It's both a resource server and the ...
3votes
1answer
329views
Authorization Code Redirection URI Manipulation Doubts
I am studying the security considerations chapter of oauth2 RFC 6749, but I am a bit confused about Authorization Code Redirection URI Manipulation paragraph 10.6: "When requesting ...
2votes
2answers
840views
Why doesn't OAuth/OpenID Connect use window.open() and postMessage() instead of redirects
I needed a way to sync user data across multiple domains that I own, so I figured I might as well implement an OAuth server, since others have already spent lots of effort in making sure its design is ...
- 174
0votes
0answers
54views
Using Google/Microsoft login - no email change?
I am adding to my web app the ability for a user to log in using their Google or Microsoft account. The default way the ASP.NET Identity Library implements this is on the first use, when they get ...
1vote
0answers
83views
Last.fm client application: How should secrets be handled
I am creating a browser(chrome) extension that will serve as a youtube-music last-fm scrobbler(detect songs and send them to last.fm). I created a last.fm application(docs) which granted me an api ...
- 111
3votes
1answer
642views
JWT-bearer grant with JWT assertion vs. client credentials grant with JWT client assertion?
Can anyone please shed some light on the difference between the following two OAuth grant type scenarios? JWT grant with JWT assertion grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer assertion=...
- 143
4votes
1answer
258views
OAuth 2.0: Is it possible to replace PKCE with DPoP-like proof-of-possession?
So I'm currently learning about Demonstrating Proof-of-Possession (DPoP) in Oauth after previously learnt about Proof Key for Code Exchange (PKCE). one interesting idea i've been thinking is, is it ...
0votes
0answers
101views
Is OAuth2 a Good Choice for Small First-party Native Application?
I want to provide authorization for our native application. Requirements are like: It is a to-customer product. All features are integrated in the software provided to customer, like product = {...
0votes
1answer
131views
In the Oauth2 client credentials grant, why do we use tokens instead of authorizing directly at each api call?
Since we are dealing with server to server communication, couldn't we just send the credentials at each api call?
- 75
1vote
2answers
106views
OAuth2 authorization code grant: in the case of a public client, what is the point of exchanging the authorization code for a token?
In the OAuth2 authorization code grant, in the case of a public client, what is the point of exchanging the authorization code for a token, rather than issuing a token directly?
- 75
2votes
1answer
308views
OAuth2 authorization code grant: how does redirection work for mobile applications?
In the oauth2 authorization code grant flow, if the client is not a web application, but rather a mobile application, how can the authorization server redirect to the client?
- 75
1vote
1answer
61views
Oauth2 client credentials grant: does authorization server always have to return an opaque access token?
In oauth2 client credentials grant, does the authorization server always return an opaque access token? Or could this also be a signed JWT which the client can then use with an API without requiring ...
- 75
4votes
2answers
179views
Integrating Biometrics with Auth Code Flow (w/ PKCE) on mobile
There is a topic I have been going back and forth with for some time. Here is the premise: we need to create a mobile app for a highly regulated industry the app should leverage oAuth2 for obtaining ...
1vote
1answer
124views
Bearer token in header as Basic token? - Does that violate the RFC6749 spec?
In a header you can have—for example—"Authorization: Basic " xor "Authorization: Bearer ". If I use my Bearer token as Basic, then can this endpoint double as a give me fresh ...
- 113
