Advertisement · 728 × 90
#
Hashtag
#PKCE
Advertisement · 728 × 90
subaud
subaud
@subaud.io.web.brid.gy
11 hours ago
Post image
0 0 0 0
beat
beat
@beathagenlocher.com
1 month ago
Now that it's working again (I couldn't access it some days ago), OAuth playground is just a pretty nice way to understand code flows in Auth.

Now that it's working again (I couldn't access it some days ago), OAuth playground is just a pretty nice way to understand code flows in Auth.

OAuth Playground

#OAuth #PKCE #Learning #Auth

0 0 1 0
beat
beat
@beathagenlocher.com
2 months ago
Over the last few days, I've plunged into finally trying to understand how all of this Auth stuff works. (The landscape of Acronyms is almost as bad as with the CORS one) These are the videos/sites I would've liked to find from the beginning on: - The Auth Wiki from Logto, but only as a reference whenever some word is unclear (though that has duplicate pages for some reason) - Illustrated Guide to OAuth and OIDC (Youtube) - Everything you ever wanted to know about OAuth and OICD (though the mentions OAuth playground is currently broken, or so it seems) - OAuth 2 Simplified (Blog Post), which has been expanded into OAuth 2 Simplified (Book) # Not super-intuitive stuff - A normal web client shouldn't have a client secret (makes sense if you think about it), and needs to use PKCE - OAuth is only about _Authorization_ (read: Authorizing the service you're currently logging in to to access some resources on another service), OpenId Connect (OIDC) adds _Authentication_ (read: telling the service you're currently logging into who you are) to this. - In my head, every service supporting OAuth (or OIDC, at least) also supported something called "Public Sign Up". But that's not the case, most of them actually don't (which makes sense, because _Authorization_ and _Registration_ don't even belong to the same area)

Over the last few days, I've plunged into finally trying to understand how all of this Auth stuff works. (The landscape of Acronyms is almost as bad as with the CORS one) These are the videos/sites I would've liked to find from the beginning on: - The Auth Wiki from Logto, but only as a reference whenever some word is unclear (though that has duplicate pages for some reason) - Illustrated Guide to OAuth and OIDC (Youtube) - Everything you ever wanted to know about OAuth and OICD (though the mentions OAuth playground is currently broken, or so it seems) - OAuth 2 Simplified (Blog Post), which has been expanded into OAuth 2 Simplified (Book) # Not super-intuitive stuff - A normal web client shouldn't have a client secret (makes sense if you think about it), and needs to use PKCE - OAuth is only about _Authorization_ (read: Authorizing the service you're currently logging in to to access some resources on another service), OpenId Connect (OIDC) adds _Authentication_ (read: telling the service you're currently logging into who you are) to this. - In my head, every service supporting OAuth (or OIDC, at least) also supported something called "Public Sign Up". But that's not the case, most of them actually don't (which makes sense, because _Authorization_ and _Registration_ don't even belong to the same area)

I've added a note about (me learning) Auth :)

#Auth #Authn #Authz #OAuth #OIDC #PKCE

0 0 1 0
Hollo :hollo:
Hollo :hollo:
@hollo.hollo.social.ap.brid.gy
10 months ago
Original post on hollo.social

#Hollo 0.6.0 is coming soon!

We're putting the finishing touches on our biggest security and feature update yet. Here's what's coming:

### Enhanced #OAuth #security

* RFC 8414 (OAuth metadata discovery)
* RFC 7636 (#PKCE support)
* Improved authorization flows following RFC 9700 best […]

0 5 0 0
Stephan van Rooij
Stephan van Rooij
@svrooij.io
11 months ago
Post image

Would you look at that #tado is switching to "device code flow" because it is more secure..... Yes it is more secure then resource owner flow, but why are they not going for authorization code with #PKCE? #fake #security support.tado.com/en/articles/...

0 0 0 0
Harris Brakmic
Harris Brakmic
@brakmic.bsky.social
1 year ago
Post image

Just published a follow-up on deploying Angular with Express.js BFF and Keycloak for multi-domain setups.

blog.brakmic.com/lessons-lear...

#Angular #Keycloak #PKCE

0 0 0 0
Harris Brakmic
Harris Brakmic
@brakmic.bsky.social
1 year ago
Post image

I've published a new article on implementing PKCE with Keycloak using the passport-keycloak-oauth2-oidc-portable library.

blog.brakmic.com/pkce-with-ke...

#OAuth2 #Keycloak #PKCE

1 0 0 0