🚨 ShinyHunters compromised Google, Qantas & dozens more using OAuth device flow attacks—bypassing MFA without exploiting a single software bug. My deep-dive analysis reveals how they did it and what enterprises must do now to protect their identity infrastructure.| Deepak Gupta | AI & Cybersecurity Innovation Leader | Founder's Journey from ...
Read more about the latest authentik release, 2024.4.| goauthentik.io
tl;dr: yes, contra thingamajig’s law of wotsits. Before the final nail has even been hammered on the coffin of AI, I hear the next big marketing wave is “quantum”. Quantum computing promises to speed up various useful calculations, but is also potentially catastrophic to widely-deployed public key cryptography. Shor’s algorithm for a quantum computer, if […]| Neil Madden
We've been making improvements to the end-user and developer experiences with atproto OAuth, and wanted to share some updates.| docs.bsky.app
OAuth 2.0 has emerged as the de facto standard protocol for securely protecting APIs. It provides applications the ability for secure access while keeping your passwords safe using authorization tokens. In our increasingly connected world, knowledge on this authorization protocol The post Podcast: Understanding OAuth appeared first on API-University.| API-University
In these three videos, I show you how to use the Google API with OAuth. Don’t miss any upcoming episode and subscribe to the API-University channel on youtube. I provide the worksheet for you here. I hope it makes your The post How to use the Google API and OAuth. appeared first on API-University.| API-University
Before you can list a Selling Partner API application on the Marketplace Appstore, you need to set up an authorization workflow. Here's how.| Jesse Evers
Looks like I will be expanding my collection of identity providers (Authentik, KeyCloak, Synology SSO, Pocket ID and Zitadel) that can be used with vCenter Server and/or VMware Cloud Foundation (VC…| WilliamLam.com
As part of setting up vCenter Server or VMware Cloud Foundation (VCF) Identity Federation, if your identity provider supports the SCIM (System for Cross-domain Identity Management) protocol, you mu…| WilliamLam.com
Not sure when it happened, but I have been binging self-hosted identity providers like Netflix shows, this season features Authentik, KeyCloak, Synology SSO and Pocket ID. To add to my collection, …| WilliamLam.com
I recently found another cool use case for my Synology NAS, which is using the Synology SSO application to setup vCenter Server Identity Federation. I had not considered looking at Synology, but I …| WilliamLam.com
Do you often find yourself wanting to make a basic (or complex) web app that is client side only and will log users into Wikimedia sites with ease? Me to! I have been trying this every year or so, …| addshore
Learn how headless functions can access APIs which need to be authorized by a human in front of a keyboard for background jobs and ETL tasks| OpenFaaS - Serverless Functions Made Simple
Learn the pros and cons of each OAuth client authentication mechanism and take your OAuth security beyond client secrets.| Scott Brady
Learn how to use JWTs securely with my latest course on Pluralsight: JWT Fundamentals.| Scott Brady - scottbrady.io
Learn how the UK's Open Banking makes use of OAuth and OpenID Connect.| Scott Brady
Learn how to implement and trigger standards-based step-up authentication using OAuth, OpenID Connect, and SAML.| Scott Brady
Learn how OAuth Proof-Key for Code Exchange (PKCE) does not replace client authentication (e.g. secrets) and why you should use both where possible.| Scott Brady
Avoid a common OAuth pitfall by learning how OAuth consent and access tokens differ from user-level authorization policies.| Scott Brady
My experience and highlights from the OAuth Security Workshop 2020. Including new OAuth topics such as online_access, app2app, FAPI, OAuch, and Web ID.| Scott Brady - scottbrady.io
A rebuttal to Okta's 'Nobody Cares About OAuth or OpenID Connect', advocating the education and involvement of developers with OAuth and OpenID Connect.| Scott Brady
A cheat sheet for choosing the right way to securely access an API when using a browser-based application such as a JavaScript SPA.| Scott Brady - scottbrady.io
Removing application passwords from OAuth by using JWT Bearer Tokens, including ASP.NET Core and IdentityServer4 usage.| Scott Brady
How to handle delegation scenarios using OAuth Token Exchange, for use with microservices and API gateways.| Scott Brady
Announcing my new Pluralsight course, in which we take a look at OAuth 2.0, the gold standard for API authorization.| Scott Brady - scottbrady.io
The reasons why OAuth is not an authentication protocol, and why without using open standards such as OpenID Connect, should not be hacked to become one.| Scott Brady
One of the few legitimate uses for the ROPC grant type is for browserless devices. Luckily, the OAuth working group now has a solution for that.| Scott Brady - scottbrady.io
2025 Thursday February 20th Meeting 6:30pm:8:30pm Location: American Red Cross 3131 N Vancouver Ave · Portland, OR Speaker: Jacob Champion We are going to have Jacob walk us through recent work on …| PDXPUG
CIAM has emerged to help businesses secure, manage, and personalize customer identities, ensuring seamless and compliant digital experiences.| Nordic APIs
In 2016 I wrote RFC 8252 seeking to codify a new best practice on using the system browser (or in-app browser tabs) to perform OAuth flows, rather than a built-in WebView. A little history: you don’t see this embedded WebView OAuth pattern much any more, but when I joined the Identity team at Google in… Continue reading In-app browsers and RFC 8252| William Denniss
We are very happy to release the initial specification of OAuth for AT Protocol! This is expected to be the primary authentication and authorization system between atproto client apps and PDS instances going forward, replacing the current flow using App Passwords and createSession over time.| Bluesky Blog
This post implements a basic ASP.NET Core API using .NET 9 and the Microsoft OpenAPI implementation. The OpenAPI Nuget package supports both Controller based APIs and minimal APIs. Until now, we us…| Software Engineering
JSON Web Tokens (JWT) are often used in stateless authentication flows. Thanks to the signature, the server does not need anything else to verify the token validity. The scope claim (RFC8693 section 4.2) contains a space-separated list of scopes associated with the token. The server can use it to check the application permissions. Although this claim can quickly become heavy. The more scopes you have, the bigger your token is! But JWT are meant to be a compact token format… Today I’m prou...| Raphael Medaer’s blog
UMA 2.0 diagrams| www.gabriel.urdhr.fr
I was catching up on the always excellent Security. Cryptography. Whatever. podcast, and enjoyed the episode with Colm MacCárthaigh about a bunch of topics around TLS. It’s a great episode th…| Neil Madden
OAuth 2.x and OpenID Connect sequence diagrams| www.gabriel.urdhr.fr
You might have received an email from Google about "granular controls". CloudSponge is on it. Read on to learn about the details.| CloudSponge
To give you a feeling of what to expect at the Endpoint conference we've talked with Kamyar Mohager, who will be in Amsterdam representing Linkedin.| API UX
This article shows how an ASP.NET Core application can control the write access to an Azure blob storage container using an application app registration. Microsoft Entra ID is used to control the u…| Software Engineering
Decentralized identity is set to make a big impact on how APIs are accessed and secured. We cover a relevant recent talk from Jacob Ideskog.| Nordic APIs
Refresh vs. Long-lived Access Tokens|
Star Тема избитая, но мне не удалось найти готового решения, которое полностью бы меня устроило. Поэтому пишу сам :). Итак, у нас есть “одностраничный” веб сайт, который общается с бекендом посредством REST API. Клиентская часть может быть написана с помощью ember, angularjs или чего-то...| Alexey Evseev
Gist OAuth протокол бывает двух версий: 1.0 и 2.0. Большинство сервисов сегодня используют версию 2.0, вероятно потому что ее проще реализовать. Так же версию 2.0 можно относительно безопасно использовать в standalone-приложениях (те, которые без сервера). Для понимания протоколов очень ...| Alexey Evseev
See: http://appauth.io/| William Denniss
What they are, why you need them, and how to get them.| CloudSponge
Basic Summary| mediagoblin.org