oauth
Understanding client_id and client_secret
Both client_id and client_secret are not used in the password flow. However, as you are probably aware, OAuth2 has other flows, suited for other scenarios. Namely: the authorization code flow used in web apps that authenticate users server side. The client_id is used in the initial redirect, the client_secret is used in the last step … Read more
What is the security difference between API Keys and the client credentials flow of OAuth?
TLDR; The difference comes down to direct access vs. delegated access. OAuth allows you to make delegated access. The benefits of delegated access don’t change if there is a user involved or not. The same arguments that make the OAuth Authorization code flow attractive for user-to-machine access, apply to the OAuth Client credentials flow for … Read more
Closing OAuth 2.0 popup window after redirect
I think popup you can close by parent.close(); And to refresh main window I used this trick: $(function() { var win; var checkConnect; var $connect = $(“#some_button”); var oAuthURL = “http://example.com/account/_oauth?redirect_url=” + redirect_url; $connect.click(function() { win = window.open(oAuthURL, ‘SomeAuthentication’, ‘width=972,height=660,modal=yes,alwaysRaised=yes’); }); checkConnect = setInterval(function() { if (!win || !win.closed) return; clearInterval(checkConnect); window.location.reload(); }, 100); }); … Read more
Github oauth multiple authorization callback URL
I solved this issue by creating a dedicated OAuth application on Github for my local development environment. So I have the following 2 OAuth applications: My official OAuth application for production Client ID: ABC Client Secret: 123 Authorization callback URL: https://example.com/api/v1/security/oauth/github/callback My private OAuth application for development Client ID: XYZ Client Secret: 456 Authorization callback … Read more
OAuth Client Credential Flow – Refresh Tokens
The issuance of a refresh token with the client credential grant has no benefit. That is why the RFC6749 section 4.4.3 indicates A refresh token SHOULD NOT be included. Thus its issuance is at the discretion of the authorization server. From my point of view an authorization server should never issue a refresh token with … Read more
OAuth Refresh Token Best Practice [closed]
The client should always be prepared to handle an error returned from the API that indicates that the access_token validation failed. Depending on the implementation the access token may have been revoked or declared invalid otherwise. The client may then use a refresh_token to get a new access token and try again. So you can … Read more
Rails authentication across apps/servers
Yes, SSO using OAuth is a viable solution, but it’s not the simplest one. When building anything new, OAuth 2.0 is the way to go. The OAuth standards cover a lot of ground. The primary advantage of OAuth is that it allows users to give 3rd party apps access to their account without disclosing their … Read more
Update/change roles claim (or any other claim) in JWT
Refresh tokens don’t seem to be the solution if you care about the changes you make being instant, you probably don’t want an user to access moderation tools for some time if you revoke his permissions. What you could do is keep a version number in the jwt token relative to the user, much like … Read more
Using OAuth for server-to-server authentication?
There are actually two OAuth specifications, the 3-legged version and the 2-legged version. The 3-legged version is the one that gets most of the attention. The 2-legged version does exactly what you want initially, it allows an application to grant access to another via either a shared secret key (very similar to Amazon’s Web Service … Read more