according to https://darutk.medium.com/diagrams-of-all-the-openid-connect-flows-6968e3990660
there are two access tokens, one from Authorization endpoint and one from Token endpoint, which is kind of hybrid flow.
I have two questions (the…
we know that we need to pass both client_id and redirect_uri in the authorization request.
https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow#step-1-get-the-users-permission
But isn’t that client app already registered its redirec…
I am trying to implement "Login with Google/Apple etc…" on a web platform and I can’t wrap my head around how you can trust the response that supposedly comes from the resource server owned by these platforms.
For comparison, w…
In Kubernetes clusters, we often wish to provide temporary credentials to the containerised processes running in a particular pod, usually marked by associating the pod with a service account.
Recently (in late 2023) AWS introduced "…
When searching for information about Openid Connect, I read some confusing, incorrect claims about it. Since others may see results indicating an incorrect answer to the question of whether Openid Connect is obsolete, I am asking it here. …
I’m working within a spec that uses the OpenID Connect third party initiated login + implicit flow. I first have to register my application with the third party, providing them a login initiation url, redirect uri, target link uri. Then th…
I am tasked with moving away from implicit flow in a SPA. It is a basic solution consisting of a react SPA and a .net API, on the same domain. This web app is a case management solution that deals with medical data, running in a private ne…
I’m exploring the possibility of implementing OpenID Connect (OIDC) with an HTTP-only cookie to keep my frontend code completely authentication-agnostic, instead of passing the Authorization header around through Javascript code.
The idea …
In the OpenID Connect "authorisation-code flow" what security vulnerability is exposed, if the application relies on claims in the ID Token without validating that token?
For example, Google suggests that validating the token is …
I have several apps connected to a single Identity Provider, which allows a Single SignOn experience for our users, and requires also a Single LogOut one.
For the logout, any app will start the logout request, calling the Identity Provider…
