python (12.9k questions)

javascript (9.2k questions)

reactjs (4.7k questions)

java (4.2k questions)

java (4.2k questions)

c# (3.5k questions)

c# (3.5k questions)

html (3.3k questions)

Questions - access-token

Microsoft Graph: verify with which secret an access token was obtained

When getting an access token for Microsoft Graph using the client_credentials method (https://learn.microsoft.com/de-de/graph/auth-v2-service) you use a client secret. Is there any way one can verify ...
test-img

Gianluca Filitz

azure

oauth

jwt

access-token

azure-ad-graph-api

Votes: 0

Answers: 1

Latest Answer

Is there any way one can verfiy which secret (the secrets have IDs) was used to obtain the access token? No. Alternatively, is there any way to assign roles/ permissions to only on specific secret?...
test-img

juunas

Why not to have two access_tokens and two refresh_tokens stored one in cookie and one in localstorage to protect from XSS and CSRF

Background Scenario is that we have a REACT SPA and a single API which is both a resource server and an authentication server. We want to implement simple tokens based auths. There is no dedicated SSO...
test-img

Rychu

security

authentication

access-token

restful-authentication

refresh-token

Votes: 0

Answers: 1

Latest Answer

We have implemented this flow and here are two main conclusions: This flow works great and gives more security when API and frontend are hosted on the same domain (e.g., api.example.com and example.c...
test-img

Rychu

Invalidating Jwt Token without a blacklist

I want to invalidate refresh jwt token without maintaining a blacklist of used refresh tokens with rotations, for this I had the idea of including a ValidationCode in the payload of the RT that the se...
test-img

dbzadnen khiari

oauth-2.0

jwt

authorization

access-token

refresh-token

Votes: 0

Answers: 1

Latest Answer

What you're describing here is a solution where you can just keep the latest RT used by the user in the database and allow only refresh requests with the RT saved in the DB. This is a valid approach b...
test-img

Michal Trojanowski

Change the preferred_username in token for client credential grant flow

I am using the Keycloak for one of our product. And we are using the client credentials grant flow to get the access token for service to service communication. And the issue is, preferred_username is...
test-img

Aravind Raj

oauth-2.0

keycloak

openid-connect

access-token

Votes: 0

Answers: 1

Latest Answer

So my question is, Am I using the correct grant flow for the use case. According to OAuth 2.0 Client Credentials Grant The Client Credentials grant type is used by clients to obtain an access tok...
test-img

dreamcrash

Posts

Questions

Blogs

Jobs