Highest Voted 'oauth2' Questions - Software Engineering Stack Exchange

74

votes

4 answers

What is the purpose of identifier-first login screens?

Companies like Google and Microsoft use identifier-first screens: where you provide your identifier (like an email) before providing the password. Why is this done, is this somehow more secure? I'm setting up a login with Auth0 and identifier-first…

security oauth2 login

asked May 09 '21 at 14:44

Tobi Akinyemi

675
4
7

14

votes

1 answer

What does Identity Server offer that ASP.NET Core Identity does not

I'm trying to get my head around the big picture when producing a new website using ASP.NET Core. I want users to my website to be able to register and log in with social media such as Facebook and Google. Once registered when they make requests to…

asp.net oauth2

asked Nov 16 '16 at 19:20

Chris Nevill

320
1
10

13

votes

1 answer

How to handle per-resource (fine grained) permissions in OAuth?

I'm designing an app architecture using OAuth 2.0. I have a separate Resource Server and Authorization Server. The latter keeps a database of users and the scopes available to them. Now, my question is: How and where to store/model fine-grained,…

oauth2 oauth

asked Jun 13 '18 at 13:41

akavel

361
2
9

13

votes

3 answers

Multiple Oauth2 access tokens

I have an API that uses oAuth2 and my own mobile apps that use this API as their backend. Since users can be logged on via multiple devices (i.e iPhone, iPad, android tablet or android phone) at the same time, I need the API to distinguish between…

spring oauth2

asked Aug 18 '15 at 07:52

checklist

279
3
6

11

votes

2 answers

Should an SPA use OIDC's Implicit flow or Auth Code flow?

We are developing a new Angular SPA which leverages Keycloak for its SSO abilities using OpenID Connect (OIDC). The app is currently designed to use the Implicit flow to retrieve short-lived access tokens via the keycloak JS adapter. However,…

javascript authentication oauth2 openid sso

asked Sep 18 '18 at 15:21

Eric B.

1,229
1
9
13

10

votes

1 answer

How to migrate existing legacy webapp to use OAuth2

I currently have a 15 year old legacy monolithic webapp with close to 1 million users, using a home-grown authorization & authentication system: JAAS, user names & pwds store in a DB with basic password hashing, some 2FA personal verification…

web-applications spring oauth2

asked Nov 13 '16 at 02:43

Eric B.

1,229
1
9
13

10

votes

2 answers

Auth options for distributed systems

I am in the process of designing 3 components that will work in symphony with one another: A RESTful web service which requires BasicAuth over HTTPS on all calls, and which is what actually does all the heavy lifting for my system (does the work) A…

authentication authorization oauth2

asked Jul 22 '15 at 19:39

smeeb

4,820
10
30
49

10

votes

3 answers

OAuth2 flow - does the server validate with the Auth server?

I've been reading a lot on OAuth2 trying to get my head around it, but I'm still confused about something. I understand that the client authorises with the OAuth provider (Google for example) and allows the Resource Server to have access to the…

security oauth2

asked Aug 02 '12 at 04:28

drekka

1,269
1
9
20

9

votes

8 answers

Is Password Hashing Bad?

In software design and security, why would it not be a good idea for users to send you their passwords and it would be a better idea to delegate: use public-key auth or logging in with one of these: OpenID connect, "sign in with Google" or…

security oauth2 passwords

asked Jul 07 '23 at 02:19

Daniel

331
2
8

9

votes

2 answers

How to use OAuth 2.0 roles and scopes to secure services

I have secured a REST API using OAuth 2.0 security, and I am not sure on how to configure security access using roles or scopes. There will be three types of clients: Public mobile app client used by end-users that can access their profile, data,…

oauth2

asked Jun 09 '15 at 08:56

Marios

303
3
8

8

votes

1 answer

OAuth shared Authorization server for multiple apps

At my shop we have a couple .NET Web APIs that use OAuth tokens for authentication. Currently, each web API is both authorization and resource server. Users authenticate to all of these APIs using the same credential, but they currently need to…

asp.net oauth2

asked Nov 17 '14 at 18:18

Joshua Barron

211
2
5

8

votes

3 answers

OAuth alternative for a 2 party system

I'm writing a RESTful service (Java EE, Jersey) and a client application that communicates with it, and I wish to secure it and store any usernames & passwords dedicated in my own database. I do not want the client to store the username and password…

web-services rest oauth authorization oauth2

asked Oct 10 '13 at 09:34

Alon Amir

183
6

7

votes

3 answers

Is caching Access Tokens on the back end of a Web Application a good idea? (access_token storage best practices)

Let's suppose we have a Web Application that uses an Open Id Connect service provider, the Web Application uses the Authorization Code flow to get access to a different API, and therefore gets an access_token and an id_token at the end of the…

architecture caching oauth2 jwt openid

asked Jun 05 '19 at 08:30

Hamza

89
2
6

7

votes

1 answer

Is this a correct JWT authentication implementation?

I've created a Flask RESTful API which requires an email / password and Facebook login flow. This will probably need to be extended in the future to support more social logins. I've chosen to authenticate users using JWT. Since I want to support…

authentication oauth2

asked May 17 '16 at 21:18

Remco Haszing

1,399
2
11
18

7

votes

1 answer

Is OAuth 2.0 ok for building a container of applications?

I need to create a container app which contains several apps (imagine something like iCloud): once I've been logged in, I can see all the apps by means of icons, click on them and use them (a new tab/page is open and no login is required). The…

oauth oauth2

asked Mar 18 '16 at 16:00

Bertuz

417
4
10

Questions tagged [oauth2]