All Questions
Tagged with authenticationauthorization
69 questions
4votes
1answer
118views
Next Auth Flow For Use with Ruby on Rails API
I plan to have a frontend web app written with Next.js using the AuthJS library to provide user authentication using Oauth. This frontend application depends on a backend API. I want to make sure my ...
- 149
0votes
1answer
133views
Authorization business logic on claims or on app database?
Context: I have an API (using DDD) with an entity lets call it "Content" that only can be update by certain users. For example Content with Id = 1, can only be modified by User Id = 1, ...
1vote
0answers
188views
OpenID Connect and User Management Best Practices
Currently my company has 2 applications that use Identity Server for SSO. Not every client we have uses both applications but some do. The part I'm uneasy about is that both apps have a user ...
1vote
1answer
110views
Is my security pattern correct for authenticating principal users to my microservices?
We are trying to implement an authorization and authentication service for our product. Now, we would have to cater to different kinds of IAM systems like SSO, LDAP and Basic Username+Password in ...
1vote
0answers
1kviews
Authorization using Azure AD B2C access tokens in Python / Flask
TLDR: I am trying to validate a Azure AD B2C access token in my Flask web API use scopes from that access token to authorize calling protected resources use timely and secure solutions such as PKCE ...
- 121
2votes
0answers
228views
What is the benefit of performing authn/authz at the API gateway instead of at the service?
I want to know is if we should perform authentication at the API gateway, at the individual service, or both. Let's frame this question and descussion in the context of new development. Specifically, ...
- 249
6votes
1answer
1kviews
Should user and service-to-service authentications be separate?
Say I have a system with 5 microservices behind a gateway, and a user signs in through an IDP (OAuth) A user U passes the access token in a request, and the call first reaches the gateway before it ...
- 171
0votes
1answer
524views
Can I store a refresh token in a queue?
We have a standard microservices setup (Identity Server, API Gateway, services, etc). Some of the services schedule events to be dispatched in the future (future = anything from mins to months ahead) -...
- 143
0votes
1answer
416views
Enriching JWT after OpenID Connect flow
I am struggling to find a good solution for authorization of users after they were properly authenticated through an oidc flow. Let's assume the following setup: An angular SPA is interacting with ...
- 163
2votes
1answer
2kviews
Refresh tokens by example using Angular and Spring Boot
I am designing out an app that would have an Angular frontend and Spring Boot (Java) backend. I was considering (but not married to) the prospect of JWT-based authentication: User logs in with ...
2votes
2answers
155views
Authenticate users (REST-API)
What I'm trying to build REST-API using Express and SQLite 5 to 10 authors should be able to post articles to /articles except them, no one is allowed to post anything My approach to build it ...
- 129
1vote
1answer
86views
Authentication-as-a-Service (Auth0) and retrieving user profiles for many different users
For my recent project I decided to leverage Authentication-as-a-Service, in particular I am using Auth0 but I do not think this particularly matters. I've got my React client set up correctly and I am ...
- 193
3votes
1answer
461views
API AuthN/AuthZ and API Gateway
I have implemented authentication on an API Gateway level using NGINX+ and now I have concern if APIs behind it should still to authenticate using API Keys or JWT? What are best practices? My point is ...
- 389
1vote
1answer
2kviews
Token based authentication to multiple API servers
We have a Web server (which also does authentication and authorization) that manages, via an API, one or more servers that contain highly sensitive data. In the below architecture diagram, we manage ...
0votes
1answer
451views
How to secure messaging-based communication with microservices
I'm comfortable with a lot of OpenID Connect and OAuth2 concepts in the context of HTTP-based communication between microservices. I'm currently leveraging Azure AD. In the HTTP-based scenario I would ...
- 3
