96
votes
What is the purpose of identifier-first login screens?
This is common with federated identity systems where a service authenticates users from many identity providers.
Your email address is used to look up which identity provider can authenticate you. ...
- 46.6k
54
votes
What is the purpose of identifier-first login screens?
The purpose of this is to redirect to the account's identity provider. However the use case is not selecting between personal login providers such as Facebook or Google. It's to support organisational ...
- 982
47
votes
Is Password Hashing Bad?
This is a reasonable point being justified using incorrect claims.
The issue here isn't about having users enter passwords. How do you think they're going to log in to Google/Facebook/any other third ...
- 59.5k
21
votes
Is Password Hashing Bad?
The specific claim: "Password hashing is bad" is somewhat odd. If you are supporting passwords, hashing is pretty important. The more interesting and more contentious (based on the other ...
- 31.1k
9
votes
Is Password Hashing Bad?
I would agree in a kind of "if life were perfect" sense. If you rely on Google, FB or whatever and you can force that option on every one of your users, you never ever can be held ...
- 1,348
7
votes
What is the purpose of identifier-first login screens?
I think this is used for when some logins may be forwarded to a seperate auth service. in this case you don't want to see the password at all.
eg, say you allow the user to login to your site with ...
- 84.6k
7
votes
What is the purpose of identifier-first login screens?
There might be more than one way to authenticate yourself to a service, especially at their scale.
For example, Google lets you use your phone instead of a password, so that means that they'll want to ...
- 207
6
votes
How to handle per-resource (fine grained) permissions in OAuth?
Eh, answering my own question... I followed up a bit more on UMA, and it seems to be indeed some kind of a possible solution:
UMA seems to be a semi-official (or at least the only official-looking ...
- 361
6
votes
Accepted
Is there a context in oAuth, reusable in the callback?
The state parameter: https://auth0.com/docs/secure/attack-protection/state-parameters
You can use the state parameter to encode an application state that will put the user where they were before the ...
- 15.3k
5
votes
How dangerous is storing sensitive information in LocalStorage?
The attack would take the form of javascript loaded from another domain, but executed in the target domains page.
ie I load a script from compromised.advertiser.com/adverts.js and it runs "read ...
- 84.6k
4
votes
Accepted
User identity and microservices
The usual approach is for the authentication service to issue the user a signed token. Other services can verify the signature to check that the token is genuine. The token then contains the user ID. ...
- 136k
4
votes
Accepted
What is the point of the OAuth2 client identifier?
Suppose you are creating an application that accepts logins with either a Facebook account or a Google account. Both of those logins can be done with OAuth2.
As part of the OAuth process, both ...
4
votes
Is Password Hashing Bad?
In looking at this slide we should probably evaluate it against two scenario's:
An average user with weak security (password re-use, dictionary passwords, no 2FA).
A more security competent user (...
- 4,647
4
votes
Next Auth Flow For Use with Ruby on Rails API
Welcome to SE.SE ! The flow for integrating OAuth-based authentication using JWT in a Next.js frontend with a Ruby on Rails backend API looks OK to me, but what follows is a few suggestions form ...
- 802
3
votes
Should an SPA use OIDC's Implicit flow or Auth Code flow?
Nowadays the recommended approach is to use Authorization Code with PKCE (Proof Key for Code Exchange).
The threat to be concerned about is leaking the access token from the URL - the URL is not a ...
- 1,758
3
votes
How to use OAuth 2.0 roles and scopes to secure services
I think it is important to keep the bigger picture of federated identity and access control in mind.
There is always a resource owner, a resource server and some client that wants to access resources ...
- 520
3
votes
What does Identity Server offer that ASP.NET Core Identity does not
Identity Server allows you to issue access tokens for APIs. In my experience, I've only seen it used when the application requires custom OAuth 2.0 authentication that cannot be provided by the ...
- 156
3
votes
How are resource owner credentials stored in OAuth2
Should the OAuth2 authorization server be tied to my api (resource
server) in some way that allows the authorization server to
authenticate user's based on their username and password?...
It ...
- 15k
3
votes
How Immadiately Blacklist and Block Access of Access Token using JWT?
That's actually one of the caveats of completely stateless JWTs. You cannot invalidate specific token. You may invalidate them all by changing your secret on the server, however this operation will ...
- 10.4k
3
votes
Accepted
What's the point of logging in with oauth2 if it's a paid subscription site?
You are - to some extent - mixing up the concepts of Authentication and Authorization.
Authentication [...] is the act of confirming the truth of an attribute of a single piece of data claimed true ...
- 2,434
3
votes
Accepted
Customized access control using OAuth 2.0
here's a list of few things worth pondering:
Resources are responsible for their own access control. The types of
clients and use cases can inform how you want to break down or group
together ...
- 146
3
votes
Customized access control using OAuth 2.0
To add-on to this answer, the Authorization Server (AS) would need some way to model these Access Policies (i.e., "User 1 can access Dashboard on DC1 but not DC2", etc.) somehow. In my experience, ...
- 31
3
votes
Accepted
How to combine session-based authentication and stateless REST API
So "standard, traditional, session-based" auth is a cookie on the client with a guid and an in memory database on the server which hold the data for that user
"stateless, token-based authentication" ...
- 84.6k
3
votes
Recommended strategy for maintaining a session when navigating from app to browser?
AFAIK there is no standard way of handling this kind of situation. However, if you do have access to the backend code (most of the off-the-shelf authentication solutions allow you to provide a ...
- 241
3
votes
Accepted
Is it good practice to use the sub claim as the user_id in my app
The sub claim, per RFC7519, does indeed "identify the principal". However, its processing is "generally application specific". That means it's hard to reason about its behaviour ...
- 164
3
votes
If my API depends on a third party OAUTH2 provider (Microsoft) - how do I write tests to test my API endpoints?
Basically, any external service must be faked in your tests. The reasons are many, but most importantly:
a fake guarantees speed.
fakes make it easier to write and maintain the tests.
you dont need ...
- 204
3
votes
Should SPA talk to auth server directly or resource server?
Either approach can be entirely reasonable. But I'm with you that it probably makes sense to integrate auth as an endpoint as part of your normal APIs, instead of presenting is as a separate server. ...
- 136k
3
votes
Is Password Hashing Bad?
The lecture is an interesting one. He does indeed make some bold claims, like "Roll your own crypto," citing one of the gems (Mosh) that got it right... or apparently got it right. Never ...
- 11.9k
2
votes
Accepted
Does it make sense to create a whole new API interface to just handle the web secret key?
Your tl;dr version is "of course not", but the underlying issue here is a fundamental and very common misunderstadning of what secret really means in these contexts.
First things first, ...
- 196
2
votes
Multiple OAuth2 access_tokens on the same page
From a threat modeling perspective, it is not clear really what security benefit will you achieve by having each widget have its own token.
So unless it can be demonstrated that there is a clear ...
- 3,264
Only top scored, non community-wiki answers of a minimum length are eligible