Questions tagged [authorization]
Authorization is the process of determining whether a user, program or device is allowed to access a protected resource in a particular way. Not to be confused with authentication.
474 questions
2
votes
1
answer
368
views
How to implement MySQL query fo RBAC authorization with fine grained business restrictions in role?
When implementing an authorization system like RBAC/DAC, or XACML, or the AWS IAM authorization model, I see that I can't totally decouple business logic from authorization when there are fine-grained ...
CommunityBot
- 1
3
votes
2
answers
442
views
Encrypted log entries authorization
We have a database table of encrypted log entries, each encrypted entry containing information about the user who created the entry. The entry is encrypted with the encryption key of the particular ...
CommunityBot
- 1
0
votes
2
answers
375
views
Downside of resource owner password flow for native mobile apps?
I have seen some similar questions a few years old and I am not sure if there are any new changing views on this.
I see that this flow is not recommended for mobile native apps. What are the practical ...
CommunityBot
- 1
3
votes
1
answer
1k
views
Implement state parameter in OAuth2.0 code flow server-side
I have a scenario where I need to implement OAuth 2.0 authorization code flow on the server side - the user authorizes a backend service against Microsoft, the service receives a token, saves it in a ...
CommunityBot
- 1
0
votes
1
answer
322
views
SSO authentication & authorization architecture/implemenation
We got a bunch of different services (SPAs + API GW, legacy JavaEE apps, etc.). Each of those is usually ran in multiple instances (customer specific instances). The plan is to federate them under a ...
CommunityBot
- 1
2
votes
1
answer
787
views
Did I get it right? OAuth2, OpenID and OpenID Connect
After a lot of research about authentication and authorization, I reached the following but not sure if what I reached is the correct thing so please help me out:
Authentication is who you are. ...
CommunityBot
- 1
0
votes
1
answer
1k
views
Can I safely expose a read-only RESTful API with no key or token?
As the title suggests, I would like to expose a couple of read-only endpoints without requiring a key or token. The endpoints will allow the user to request their data for the purposes of displaying ...
CommunityBot
- 1
2
votes
1
answer
3k
views
Best Way to handle Authorization tokens on mobile apps
in our organization we have our own OpenId server (Identity Server) that we use to authenticate people into our applications, let me explain how we currently handle our web clients.
so we have an API ...
CommunityBot
- 1
1
vote
4
answers
3k
views
Is it bad practice to exclusively use phone numbers for both the sign-up and login process?
I am creating an app. Users need to both login and sign-up. I want to simplify the form for this process as much as possible. This got me thinking. Instead of doing the traditional email, confirm ...
CommunityBot
- 1
0
votes
1
answer
98
views
How can CSRF occur in OAuth2 using the Authorisation Code flow if not using the state parameter?
I'm trying to understand the Authorisation Code flow in OAuth and I'm confused about how CSRF would happen, specifically I don't think I'm understand how the flow actually works.
Here's a diagram of ...
- 41.3k
0
votes
1
answer
176
views
Secure file download: pre-signed URL vs temporary cookie
(Security non-expert here)
Use case:
You have Simple single page web app, where users can download files. The page uses JWT tokens for authorization. Only certain users should be able to access ...
- 111
1
vote
0
answers
96
views
Have there been any attempts at implementing declarative security in Go?
A recurring problem when implementing authorisation checks using procedural code is that you end up duplicating a lot of checks across your codebase and it is easy to forget to apply a check, or ...
- 136k
3
votes
2
answers
817
views
Are client certificates a secure way of having publicly facing SQL database?
Quick Context:
I often come across videos where people build apps using SQL database services alongside serverless functions (like AWS Lambda, Vercel, and others) without setting up a VPC to keep the ...
5
votes
2
answers
2k
views
Accessing a database publicly via HTTPS API vs. native but with client certificates
There are database services offering access to the database via a HTTPS API, such as Neon and Algolia. This is great for serverless environments, but from a security standpoint, I’m curious if this ...
- 41.3k
4
votes
3
answers
2k
views
OpenID Connect: Why use authorization code flow?
I have a question about implementing OpenID Connect.
I understand the different flows and get that the authorization code flow is good because client credentials and server-to-server communication is ...
- 134k