292 private links
A single authentication layer for your entire platform. Integrate any identity provider through OpenID Connect — without touching your application code.
"stateless" authentication simply is not feasible in a secure way. You must have some state to handle tokens securely, and if you must have a data store, it's better to just store all the data.
The reason to avoid JWTs comes down to a couple different points:
- The JWT specification is specifically designed only for very short-live tokens (~5 minute or less). Sessions need to have longer lifespans than that.
- "stateless" authentication simply is not feasible in a secure way. You must have some state to handle tokens securely, and if you must have a data store, it's better to just store all the data. Most of this article and the followup it links to describes the specific issues: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
- (Yes, people are doing it, and yes, their applications are flawed, and you should not repeat that mistake.)
- JWTs which just store a simple session token are inefficient and less flexible than a regular session cookie, and don't gain you any advantage.
- The JWT specification itself is not trusted by security experts. This should preclude all usage of them for anything related to security and authentication. The original spec specifically made it possible to create fake tokens, and is likely to contain other mistakes. This article delves deeper into the problems with the JWT (family) specification.
About Oauth2
No DB, only env variables. KISS
Rights management in JS
A great feedback
A page builder for keycloack.
Customize the look and feel of your login and registration pages without having to mess with FreeMarker.
KeeOtp2 is a plugin for KeePass. It provides a form to display one time passwords. The TOTP secret keys are stored in a normalized format, so this plugin is fully compatible with the built-in OTP function. It also can be used as a GUI for the built-in OTP function.
- Don’t Disable Copy-Paste For Passwords
- Don’t Rely on Passwords Alone
- Drop Strict Password Requirements
- Social Sign-In Isn’t For Everyone
- Replace Security Questions With 2FA
- Users Need Options For Access Recovers
Rather than interrogating a device directly, we ask the device vendor to do it for us.
I see so much problems coming 🍿
At the same time, I like the idea so much!
4 parties involved:
- an origin (service provider)
- a client (service consumer)
- an attester (proof the client is real, for example device vendors)
- an issuer: producer of the token called by the attester and choosed by the origin
A description of a modern website architecture. It uses a bunch of modern technologies, and the author explains why they are useful in its case.