Questions tagged [authentication]
Authentication is the act of one entity proving its identity to another entity. Common examples involve public key cryptography. For example, proving that a banking web site actually belongs to the bank you think it does.
437 questions
3
votes
1
answer
966
views
How dangerous is storing sensitive information in LocalStorage?
Since I started studying security in web applications, it seems that everyone always says to never store sensitive information (e.g., refresh tokens, access tokens, and so on) due to the risk of ...
- 135
3
votes
4
answers
400
views
Does possession of a valid JWT automatically imply the user is authenticated?
I am tasked with implementing authentication and authorization in a distributed environment, so I plan to use JWT.
I get how authorization works with JWT - if the token is not expired, and the ...
- 199
4
votes
3
answers
223
views
Achieving Multitenancy with an External Identity Provider
We are designing a backend system for a large platform where users can interact with multiple products on behalf of different companies.
We plan to use Keycloak as an external identity provider. The ...
- 135
2
votes
3
answers
409
views
Handling authorization and authentication with an API gateway
Recently, I’ve found myself designing a microservices system, and I’m currently facing some challenges with authentication and authorization.
Context
All my microservices will be placed behind an API ...
- 135
1
vote
0
answers
107
views
Invalidate session for user in authentication
when user login in my web application (Article Website) I'm using Redis to cache the refresh token. So when user login I will generate refresh token and send it to him. While caching in my Redis the ...
- 11
1
vote
1
answer
102
views
What type of authentication/identification is needed?
The specs:
Mobile apps
LLM wrapper (of e.g. OpenAI API)
The chat history will be stored on the client
Backend is needed to manage the api key and to track token consumption / payment (how many tokens ...
- 391
0
votes
2
answers
108
views
Using unique attributes for user login
Suppose a user can have multiple emails. A given email may be held by at most one user.
Is email a good pick for login purposes (so that it's used instead of the username)? Should an authentication ...
- 2,030
1
vote
2
answers
262
views
API supporting multiple authentication providers?
I am currently looking at building an API server that will support multiple authentication providers (Google, GitHub, Keycloak, etc) and I am trying to work out what’s a good way to go about it. Two ...
- 119
3
votes
1
answer
114
views
Is there a context in oAuth, reusable in the callback?
I am developing a home-grade web application (server-client, based on Nuxt and nuxt-auth-utils). I am using the opportunity to learn something about oAuth (and OpenID).
One of the issues I face is ...
- 1,661
3
votes
2
answers
362
views
Why do I need an authorisation server if my micro services can validate JWTs directly?
I'm working on a Spring-based micro service project and considering different approaches for handling authentication and authorisation. Instead of setting up a dedicated authorisation server, I’m ...
- 59
-1
votes
1
answer
188
views
Which authentication method to use?
I have a REST API with protected endpoints, which require an AccessToken for access. For the user to receive the AccessToken, they need to access the login endpoint and with the correct credentials (...
- 11
4
votes
1
answer
178
views
Next Auth Flow For Use with Ruby on Rails API
I plan to have a frontend web app written with Next.js using the AuthJS library to provide user authentication using Oauth. This frontend application depends on a backend API. I want to make sure my ...
- 149
0
votes
1
answer
119
views
Database structure for two-step registration flow
I'm trying to design a database for supporting a multi-step registration flow. The registration flow goes like this: the user logs in via OAuth (which creates a session and user), then they're asked ...
- 123
0
votes
0
answers
102
views
Edge Case For Cookie Based Token Management
I have a React frontend and a Nodejs backend that uses authentication via an OIDC service provider. After a user goes through the SSO authentication flow I store the token (containing a refresh token ...
- 9
2
votes
3
answers
1k
views
Race condition when issuing a refresh token: worth addressing or not?
I'm quite new to the world of access and refresh tokens, so bear with me.
Client uses its refresh token to get a new access token.
The server invalidates the just used refresh token and contextually ...
- 125