Somehow I just implemented an #OAuth login method for the first time in my 5 years as a web dev. I'd only ever done email + password auth before (with all the expected security measures). I guess better late than never. Having a great experience with Better Auth!

#webdev #coding #React #JavaScript

🔐 Secure, Scale, and Trade: Building an Enterprise-Grade API Token Marketplace In today's API-driven economy, authentication tokens are the currency that powers integrations, microservices, and third-party applications. But as organizations scale, managing these tokens becomes a complex logistical and security challenge. Enter token sprawl: lost keys, unauthorized access, and a lack of centralized oversight.

"🔐 Secure, Scale, and Trade: Building an Enterprise-Grade API Token Marketplace" by Michael G. Inso

#github #authentication #oauth #authorization #openai-gpt

Développement logiciel intégré outils communication - 23/03/2026 16:21 EDT Python & API Development Projects for $250-750 USD. Je cherche un développeur capable de bâtir un logiciel sur mesure et de l’enrichir, tout au long de l’année, avec des

#API #API #Development #Docker #Kubernetes #Node.js #OAuth #PostgreSQL #Python

Origin | Interest | Match

Auth0 AWS Amplify Gen2: OIDC Authorization for AppSync via Identity Pool Federation This guide walks through integrating Auth0 with AWS Amplify Gen2 using Cognito Identity Pool Federation and OIDC authorization for AppSync, covering the critical steps — such as CDK-level OIDC provider setup, custom credentialsProvider and tokenProvider implementation, and Auth0 domain format handling — that are missing from the official documentation.

"Auth0 AWS Amplify Gen2: OIDC Authorization for AppSync via Identity Pool Federation" by Kihara, Takuya

#aws-amplify #oauth #authentication #authorization #appsync

Hello Microsoft Identity Platform Hello, Microsoft identity platform!

ICYMI: (06/12/2020): "Hello Microsoft Identity Platform." RPs and feedback are always appreciated! https://jjg.me/3feJbfC #Articles #Azure #Identity #WebAPI #Api #OAuth #MSAL #Managed Identity #Entra

GitHub - stefanbohacek/auth-server Contribute to stefanbohacek/auth-server development by creating an account on GitHub.

Any fediverse developers with too much free time on their hands interested in helping me figure out why, when logging in with a Friendica account, I get an "Unprocessable Entity" error?

https://github.com/stefanbohacek/auth-server

#fediverse #oauth #fedidevs #nodejs #opensource

Matt Glaman Examines OAuth Scope and Permission Mismatch in Drupal A new blog post by Matt Glaman examines how Drupal’s permission system behaves under OAuth authentication, highlighting a mismatch between administrative permissions and scope-based access checks. The analysis explains why certain operations fail und...

Matt Glaman explores OAuth scope mismatches in Drupal permissions.

Shows how Simple OAuth differs from internal access handler logic.

Suggests Access Policy in Drupal 10.3 to align permission checks.
https://bit.ly/4uynzSZ

#Drupal #OAuth #WebDev #OpenSource

New phishing campaigns are abusing OAuth flows to gain persistent access without stealing credentials.

Even password resets don’t kick attackers out.

Identity security now includes managing tokens & app permissions.

www.helpnetsecurity.com/2026/03/weap...

#CyberSecurity #OAuth #IdentitySec

[DEEP RESEARCH] Who’s Most Likely to Abuse MCP Integrations? UNC3944, TraderTraitor, UNC6293 Three intrusion sets already excel at getting users to approve tools and auth flows. This assessment is probabilistic: it highlights who is best positioned to adapt that tradecraft to MCP-style…

Happy almost St. Paddy’s—don’t let users “approve” MCP tools like free green beer. UNC3944/TraderTraitor/UNC6293 win by *permission*, not exploits. ☘️🧨

Skim the playbook (then subscribe): blog.alphahunt.io/deep-researc...

#AlphaHunt #CyberSecurity #AI #OAuth

Hackers Abuse OAuth Flaws for Microsoft Malware Delivery  Microsoft has warned that hackers are weaponizing OAuth error flows to redirect users from trusted Microsoft login pages to malicious sites that deliver malware. The campaigns, observed by Microsoft Defender researchers, primarily target government and public-sector organizations using phishing emails that appear to be legitimate Microsoft notifications or service messages. By abusing how OAuth 2.0 handles authorization errors and redirects, attackers are able to bypass many email and browser phishing protections that normally block suspicious URLs. This turns a standards-compliant identity feature into a powerful tool for malware distribution and account compromise.  The attack begins with threat actors registering malicious OAuth applications in a tenant they control and configuring them with redirect URIs that point to attacker infrastructure. Victims receive phishing links that invoke Microsoft Entra ID authorization endpoints, which visually resemble legitimate sign-in flows, increasing user trust. The attackers craft these URLs with parameters for silent authentication and intentionally invalid scopes, which trigger an OAuth error instead of a normal sign-in. Rather than breaking the flow, this error causes the identity provider to follow the standard and redirect the user to the attacker-controlled redirect URI.  Once redirected, victims may land on advanced phishing pages powered by attacker-in-the-middle frameworks such as EvilProxy, allowing threat actors to harvest valid session cookies and bypass multi-factor authentication. Microsoft notes that the attackers misuse the OAuth “state” parameter to automatically pre-fill the victim’s email address on the phishing page, making it look more authentic and reducing friction for the user. In other cases, the redirect leads to a “/download” path that automatically serves a ZIP archive containing malicious shortcut (LNK) files and HTML smuggling components. These variations show how the same redirection trick can support both credential theft and direct malware delivery.  If a victim opens the malicious LNK file, it launches PowerShell to perform reconnaissance on the compromised host and stage the next phase of the attack. The script extracts components needed for DLL side-loading, where a legitimate executable is abused to load a malicious library. In this campaign, a rogue DLL named crashhandler.dll decrypts and loads the final payload crashlog.dat directly into memory, while a benign-looking binary (stream_monitor.exe) displays a decoy application to distract the user. This technique helps attackers evade traditional antivirus tools and maintain stealthy, in-memory persistence.  Microsoft stresses that these are identity-based threats that exploit intended behaviors in the OAuth specification rather than exploiting a software vulnerability. The company recommends tightening permissions for OAuth applications, enforcing strong identity protections and Conditional Access policies, and applying cross-domain detection that correlates email, identity, and endpoint signals. Organizations should also closely monitor application registrations and unusual OAuth consent flows to spot malicious apps early. As this abuse of standards-compliant error handling is now active in real-world campaigns, defenders must treat OAuth flows themselves as a critical attack surface, not just a background authentication detail.

Hackers Abuse OAuth Flaws for Microsoft Malware Delivery #Microsoft #OAuth #Phishingemail

Setting up OAuth flows sucks. Every API integration = 3 hours of auth boilerplate.

Clamper ships with pre-built OAuth for Google, GitHub, Notion, Stripe, Slack, Discord. Just plug in your keys.

From 3 hours to 3 minutes. 95% faster.

Try Clamper: clamper.tech

#OpenClaw #AIAgents #OAuth #Develo...

OAuth 2.0 is the standard for authorization. Delegated access without sharing passwords. Google, Facebook, GitHub all use it. Standards enable ecosystems.

#oauth #security

Bearer tokens can be replayed.

Quarkus 3.32 introduces DPoPNonceProvider so you can enforce single-use nonces and stop replay attacks in your Java APIs.

I built the full challenge-response flow with Keycloak + Dev Services.

Here’s the guide:
buff.ly/mZX26pw

#Quarkus #Java #Security #OAuth

Securing AI Coding Agents with Real-Time Just-In-Time Authorization: Claude Code and GitHub Copilot CLI | Martin Besozzi But one key question is still largely unanswered: > Who approves critical actions when an AI agent decides to execute them? At TwoGenIdentity, we built a working implementation of Just-In-Time (#JIT)...

Now you can implement Just-In-Time #Authorization in #Claude #Code with Human-in-the-Loop (#HITL) #MCP #Elicitation
Demoing our implementation based #open #standards, where #OAuth native authz occurs real time, producing a cryptographic proof bound to that operation
www.linkedin.com/posts/embeso...

Cyber attackers are exploiting OAuth's Device Code Flow to hijack Microsoft 365 accounts without stealing passwords. Stay vigilant and implement robust security measures. #CyberSecurity #Phishing #OAuth Link: thedailytechfeed.com/phishing-att...

Error message from Claude Code when I didn't manage to copy the OAuth URL to another machine, paste it into my browser, get the response from their (very slow) server, copy that back to the first machine and paste it back into the session in under 15 seconds. Login OAuth error: timeout of 1500@ms exceeded

I hate it when people thing OAuth is the only way to do things. Fine, it you are a web app running in a browser and using a third party service where your users don't want to let you see their credentials.

But, for a first party CLI app, perhaps making me […]

[Original post on mastodon.social]

Spring forward—your “AI coworker” will happily approve-to-exfil. Watch NEW OAuth trust events + device-code logins; endpoint IOCs are for nostalgic people. 🔥🕵️

#AlphaHunt #CyberSecurity #AI #OAuth

foojay – a place for friends of OpenJDK foojay is the place for all OpenJDK Update Release Information. Learn More.

DPoP: What It Is, How It Works, and Why Bearer Tokens Aren’t Enough

#bearer #cryptography #dpop #java #oauth #security #token

foojay.io/today/dpop-wh...

Working implementation 🚀 of Just-In-Time (#JIT) #Authorization for #AI #Agents
Our pattern, MCP-Native Authorization (MCP-NA), combines #OAuth 2.0 first-party interactive flows with #MCP #elicitation metadata to enable AI agents to orchestrate Human-In-The-Loop (#HITL) steps
Copilot MCP App demo👇

foojay – a place for friends of OpenJDK foojay is the place for all OpenJDK Update Release Information. Learn More.

Bearer tokens have a security problem - they can be stolen and replayed. DPoP offers a better approach by binding tokens to cryptographic keys. Hüseyin Akdoğan explains how it works and why you should care.

foojay.io/today/dpop-w...

#security #oauth #java

Invite Guest users in a Entra ID Multi-tenant setup This post looks at implementing a guest user invite in a cross tenant setup. This is useful when creating partner tenants using an Entra ID MAU license for all partner guests and members. This make…

Blogged: Invite Guest users in a Entra ID Multi-tenant setup

damienbod.com/2026/03/09/i...

#graph #entra #mau #identity #iam #entraid #oauth #openidconnect #oidc #security

LaraFoundry supports 3 OAuth providers out of the box:
Google, Facebook, Twitter.

One controller. One callback. Remember me works across all of them.

No Auth0. No Firebase. Pure Laravel Socialite.

#LaraFoundry #Laravel #OAuth #SaaS

Telegram-бот вместо Excel-рутины: как я автоматизировал рутину с помощью Python Как я заменил Excel-сводные на Telegram-бота ...

#python #telegrambot #google #sheets #api #oauth #yandex #disk #pandas #etl #devops

Origin | Interest | Match

Detecting OAuth Redirect Abuse with Microsoft Sentinel and Entra ID Microsoft warned about OAuth redirect abuse enabling phishing and malware delivery. Build Sentinel analytics rules, hunting queries, a security workbook, and Entra ID hardening policies to detect and ...

OAuth redirect abuse in Entra ID is worth watching.

New post with 4 Sentinel detections, hunting queries, and hardening steps:

nineliveszerotrust.com/blog/oauth-r...

#EntraID #OAuth #MicrosoftSentinel

DEEP RESEARCH: Who’s Most Likely to Abuse MCP Integrations? #UNC3944, #TraderTraitor, #UNC6293 ?

MCP-era risk isn’t exploits—it’s authorized tool/integration abuse (OAuth consent, device codes, app passwords). We ranked who’s best positioned..

#AlphaHunt #OAuth #MCP

📰 Microsoft: Peretas Manfaatkan Alur Error OAuth untuk Sebarkan Malware

👉 Baca artikel lengkap di sini: ahmandonk.com/2026/03/05/penyalahgunaa...

#keamananSiber #malware #microsoft #oauth #phishing

If your “AI Coworker” Gets Targeted, What Tips You Off First? Your “AI coworker” isn’t the breach. The OAuth trust event is. 🔥🕵️‍♂️ Device-code phishing + consent traps = “approve to exfil.” (And yes, AI agents are already being used as the wrapper.)

Your “AI coworker” didn’t hack you—someone got it to hit “Approve” 🙃 New OAuth trust events + device-code logins = silent SaaS loot. 🔥

Read the telltales + subscribe: blog.alphahunt.io/if-your-ai-c...

#AlphaHunt #CyberSecurity #OAuth #AI

Microsoft: Hackers abuse OAuth error flows to spread malware Hackers are abusing the legitimate OAuth redirection mechanism to bypass phishing protections in email and browsers to take users to malicious pages.

#Microsoft: Hackers abuse #OAuth error flows to spread #malware

www.bleepingcomputer.com/news/security/microsoft-...

#cybersecurity

SIGNALS WEEKLY:

Cisco Catalyst SD-WAN Exploitation + OAuth Redirect Abuse + Prompt Injection Observed in the Wild

blog.alphahunt.io/signals-week...

#AlphaHunt #SDWAN #OAuth #AISecurity #ThreatIntel

Microsoft warns of a new phishing attack exploiting OAuth in Entra ID to evade detection. Stay vigilant and implement recommended security measures. #CyberSecurity #Phishing #OAuth #EntraID Link: thedailytechfeed.com/microsoft-di...