All Questions
32 questions
0votes
0answers
92views
Options for various auth strategies for express API
OK, I need some help with this: I am creating a Node express API, and I want to support the following auth strategies: Cookie or JWT based authentication that supports MFA (OTP, email, and SMS), for ...
- 227
0votes
0answers
350views
OpenID Connect for authenticating a web-api
I want to accomplish the following: Having a web application or mobile app authenticating users using openid connect. Having a REST Api authenticated using openid connect using the same user as for ...
0votes
1answer
907views
refresh token without client_id and client_secret
I was reading the OAuth protocol docs https://datatracker.ietf.org/doc/html/rfc6749#section-6 where it implies that you don't need a client_id and client_secret to refresh an access token, just a ...
- 113
-1votes
1answer
1kviews
How to secure backend API access?
In the good old days, you made server-side websites using PHP or something like that, now we have modern web apps divided into front-end and back-end (usually API Rest), you can't rely on CORS because ...
- 203
2votes
1answer
371views
Which OAuth2 flow should I use?
Context I'm trying to build an hybrid multi-tenant API using OAuth2.0 using Laravel 8 Passport, so my system has 2 parts: one process the request from the tenant application, and the other part ...
- 203
1vote
0answers
255views
Where should I store an OAuth refresh token for a third party?
I am connecting to a third party which authenticates with OAuth2. Once the user has logged in, I want to store the access & refresh tokens for the user. Which is more secure & proper - to save ...
- 111
3votes
0answers
708views
Alternatives to OAuth 2 for first-party native applications
I am currently thinking about alternative ways for my native iOS Application (written in Swift) to receive access- & refresh-tokens. As of now, user sessions are established using revokable JWTs, ...
1vote
2answers
145views
Is access token confidentiality also ensured in the Authorization Code grant type in Oauth2.0
One of the really nice articles I came across while trying to understand the various grant types in Oauth2.0 was this. The author really has done a good job at explaining quite clearly what various ...
- 1,522
2votes
0answers
792views
API keys or Client Credentials flow? Good practice to control application access to a deployed web component
Company A developed a widget (Web Component) deployed on several clients/partners. Only clients/partners must be authorized to use the widget. No need to distinguish between each end users (clients' ...
- 431
2votes
2answers
1kviews
How could a server to server rest api communication be more secure, by using OAuth 2?
I created a large backend+frontend project for a client. They recently started a different project, and contracted an other company to develop and host it. Since they need some of the data from my ...
- 193
1vote
2answers
410views
How do I make sure access token comes from authenticated user?
My problem boils down to the use of Okta's access tokens to secure api endpoint. I followed this okta guide to set up a react single-page application with their wiget. When I log into the site I get a ...
- 11
2votes
0answers
693views
API protection - JWT vs HMAC signing vs OAuth
Lets say you are designing a new API. The consumer of your API is a mobile app that periodically sends requests in the background, but you expect other consumers as well, such as web apps or servers. ...
- 121
4votes
1answer
147views
Do websites grant their own JWT token after successful OpenID/OAuth2 login?
I am looking at implementing an Authorization Code with PKCE grant on a mobile app to communicate to an API. What I am curious about is what applications currently do with the OpenID token that is ...
- 41
2votes
1answer
2kviews
Securing API access. oAuth Client Credentials vs client ID and secret
I have a REST API that will be called by other external 3rd party servers over the internet and be used only for machine to machine communication. I am looking for mechanisms to secure this API such ...
1vote
2answers
324views
Secure API key mechanism for identification
In my web application, when the user logs in, a pair of JWT(JSON web tokens),access token and refresh token is sent with some fixed time validity. Using access token client is authenticated and using ...
- 111
