Community Picks·2yBetter Auth
Supports popular frontend, backend, and meta frameworks like React, Vue, Svelte, and more. Provides secure email and password authentication, multiple OAuth providers for social sign-on, built-in two-factor authentication, and tools for managing user access. Extend functionality via official and community plugins.
LogRocket·2yUnderstanding JWT, OAuth, and Bearer tokens
In the digital world, authentication and authorization are essential for secure access to online services. JWTs (JSON Web Tokens), OAuth, and Bearer tokens play crucial roles in ensuring security. JWTs are tamper-proof tokens composed of three parts: header, payload, and signature, used for securely transmitting information. OAuth typically utilizes JWTs to transport user information securely. Bearer tokens, included in HTTP headers, authenticate users for accessing protected resources. Understanding these concepts helps improve web security.
asayer·2yUnderstanding Web Authentication
Website authentication is crucial for ensuring users are who they claim to be, guarding sensitive information, and maintaining trust. Various authentication methods include password-based, multi-factor, biometric, token-based, and certificate-based authentication. Additionally, common protocols such as OAuth 2.0, OpenID Connect, SAML, and LDAP are used to manage authentication processes securely. Effective implementation involves choosing the right method for user experience and security, integrating both frontend and backend properly, and adhering to security best practices. Balancing security with usability and using adaptive authentication can further enhance security measures.
Community Picks·2yBest Practices for Storing Access Tokens in the Browser
Web applications often use OAuth 2.0 for data security, which involves storing access tokens. This piece examines various browser storage solutions like local storage, session storage, and cookies, highlighting their vulnerabilities to XSS and CSRF attacks. The token handler pattern is recommended for enhancing security, suggesting encrypted tokens stored in secure cookies and managed by backend components.
Community Picks·2yCasdoor · An open-source UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform with web UI supporting OAuth 2.0, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, RADIUS, Googl
Casdoor is a UI-first Identity and Access Management (IAM) and Single-Sign-On (SSO) platform. It supports multiple authentication protocols including OAuth 2.0, OIDC, SAML, and others. Casdoor offers a frontend-backend separation architecture, multi-language support, and easy setup. It also supports third-party application login and direct sign up, making it a versatile tool for authentication needs in various projects.
evolvedev·2yBuilding a Google Drive Downloader in Golang (Part 2)
Part 2 of the tutorial explores core features of a Google Drive downloader in Go, focusing on handling multiple concurrent downloads, updating progress in real-time, and managing cancellations. To fully benefit, refer to Part 1 for foundational setup including Google OAuth integration.
Auth0·2yAuthentication and Authorization Enhancements in .NET 9.0
NET 9 includes various enhancements for authentication and authorization, focusing on cloud-native development and performance. Key features include support for Pushed Authorization Requests (PAR) to enhance security in OAuth 2.0 and OpenID Connect environments, simplified methods for adding custom OAuth/OIDC parameters, configuration flags for Windows Authentication under HTTP.sys, and methods to serialize authentication states in Blazor Web Apps. These updates aim to simplify developers' tasks, improve security, and reduce potential bugs.
LogRocket·2yAuth.js adoption guide: Overview, examples, and alternatives
Auth.js simplifies the implementation of user authentication in web applications, supporting various strategies like OAuth and SSO. Originally called NextAuth, it was redesigned to work not just with Next.js but various JavaScript frameworks. With built-in support for numerous databases, Auth.js handles essential functionalities such as user registration, login, and session management. Despite its learning curve and some criticisms, it remains a comprehensive solution for secure authentication. The guide provides a step-by-step tutorial to set up Auth.js in a Next.js project and demonstrates its customization capabilities.
DEV·2yPOST only? Let's end this absurd API design debate
Addressing the debate on 'POST only' APIs, the post explains the misconceptions about POST-only designs, distinguishing between HTTP methods and API design styles. It highlights the principles of effective API design and compares RESTful and RPC API styles, emphasizing the appropriate scenarios for each. REST focuses on resources and standard operations, making it ideal for web services; RPC simplifies remote calls to resemble local function calls, suitable for internal services or complex operations. The ultimate goal should be clear, consistent, and efficient API design tailored to specific project needs.
The New Stack·2y4 API Security Best Practices
APIs are crucial to modern digital solutions, making API security a top priority. Key points include utilizing an API gateway to enforce policies and secure endpoints with HTTPS, and using access tokens like JWTs for robust authorization. These measures help mitigate common risks such as broken object-level authorization and unrestricted resource consumption. Implementing OAuth or OpenID Connect can enhance security further by centralizing the management of access tokens.
Hacker News·2yStack Auth
The post explains OAuth from first principles by progressively improving a flawed implementation and addressing various security attacks. It takes a user from initial insecure methods of third-party app authorization to the secure OAuth 2.0 authorization code flow with PKCE. Real-world examples illustrate common vulnerabilities and mitigation strategies, making it a valuable guide for understanding OAuth mechanics and security considerations.
InfoQ·2yASP.NET Core Updates in .NET 9 Preview 2: Blazor, OIDC, OAuth and Configuring HTTP.sys
ASP.NET Core in .NET 9 Preview 2 brings updates including Blazor component constructor injection, WebSocket compression for Blazor interactive server components, customizing OAuth and OIDC authorization parameters, and configuring HTTP.sys extended authentication flags.
Javarevisited·2yLet’s get Authenticated — Google Sign In
This post provides a full-stack solution for implementing Google Sign In using React.js and Spring Boot. It covers configuring Google APIs and Services, setting up the front-end using React.js, and implementing authentication in the back-end using Spring Boot.
Cerbos·2yThe importance of stateless architecture in authorization systems
Stateless architecture in authorization systems simplifies system deployment, maintenance, and integration. It offers benefits such as scalability, fault tolerance, and simplicity. By using stateless authorization, the application can fetch the necessary state upfront and present it as a token, eliminating the need for external dependencies. Implementing a basic stateless authorization system is straightforward, but best practices for token management, expiration, revocation, and encryption should be followed. Centralized authorization servers and established protocols like OAuth and SAML can enhance security and interoperability.
Community Picks·2yHow to add Supabase Auth to Astro
Integrate Supabase authentication in an Astro project using GitHub OAuth by creating a GitHub OAuth app, configuring it in Supabase, setting environment variables, and adding relevant code for Supabase server and admin instances, middleware for authentication, and login actions. Protect pages by checking user authentication and using redirects as needed.
InfoSec Write-ups·2yOAuth Security: Complete Guide. In this blog, we will uncover the…
OAuth is a popular authorization protocol allowing third-party services to access user resources without revealing credentials. Common vulnerabilities include client secret exposure, CSRF, open redirects, and improper token usage. Security can be enhanced by proper client secret management, using the state parameter for CSRF protection, validating redirect URIs, and ensuring token confidentiality. OAuth 2.0's PKCE provides additional security for public clients without a client secret. OpenID Connect builds upon OAuth for user authentication.
Okta Dev·2yAdd Step-up Authentication Using Angular and NestJS
This post demonstrates how to add step-up authentication to an Angular frontend and NestJS backend using the OAuth 2.0 Step Up Authentication Challenge Protocol. It covers setting up the authentication configuration, guarding routes with step-up authentication, and protecting API resources with the challenge. The post also mentions the possibility of ensuring authentication recency in step-up authentication.
Baeldung·2ySpring Security 6.3 – What’s New
Spring Security 6.3 introduces several key enhancements, including passive JDK serialization support to address issues related to serialization across versions, new authorization features like defining meta-annotations for role management, and the ability to secure return values with the @AuthorizeReturnObject annotation. Additionally, the update includes error handling improvements and compromised password checks using Pwned Passwords API. The update also adds support for OAuth 2.0 Token Exchange, enabling clients to exchange tokens while retaining user identity.
Javarevisited·2yImplementing Robust GraphQL Authentication with Apollo: Leveraging Custom Directives and Plugins for Precise Access Control
GraphQL's single endpoint architecture necessitates a unified access control strategy, unlike REST APIs. Traditional methods of endpoint-specific authentication don't apply. One solution is using custom directives and Apollo plugins to implement fine-grained access control efficiently. These plugins allow centralized authentication mechanisms, support OAuth 2.0 integrations, and offer features like encryption and redaction of sensitive fields. The new authorization plugin provides a reusable framework that simplifies maintaining consistent access policies.
Community Picks·2ySecuring Your APIs: Verifying API Keys And Using Scopes
This post discusses the importance of securing your APIs and provides information on API authentication, API key verification, centralized and decentralized verification methods, OAuth, and user-based permissions for third-party APIs.
