Skip to main content
Information Security

Questions tagged [authorization]

Ask Question

Authorization is the process of determining whether a user, program or device is allowed to access a protected resource in a particular way. Not to be confused with authentication.

474 questions
Newest Active Bountied Unanswered
0 votes
1 answer
63 views

I'm trying to understand the Authorisation Code flow in OAuth and I'm confused about how CSRF would happen, specifically I don't think I'm understand how the flow actually works. Here's a diagram of ...
AS3's user avatar
  • 103
0 votes
1 answer
105 views

(Security non-expert here) Use case: You have Simple single page web app, where users can download files. The page uses JWT tokens for authorization. Only certain users should be able to access ...
DarkTrick's user avatar
  • 111
1 vote
0 answers
82 views

A recurring problem when implementing authorisation checks using procedural code is that you end up duplicating a lot of checks across your codebase and it is easy to forget to apply a check, or ...
Polynomial's user avatar
  • 136k
3 votes
2 answers
780 views

Quick Context: I often come across videos where people build apps using SQL database services alongside serverless functions (like AWS Lambda, Vercel, and others) without setting up a VPC to keep the ...
Vitor Figueredo Marques's user avatar
  • 223
5 votes
2 answers
1k views

There are database services offering access to the database via a HTTPS API, such as Neon and Algolia. This is great for serverless environments, but from a security standpoint, I’m curious if this ...
Vitor Figueredo Marques's user avatar
  • 223
0 votes
1 answer
91 views

My understanding is that the OAuth Authorization Code Flow is used to avoid exposing the access token from the User Agent. But why? I was reading this article (Common OAuth Vulnerabilities) by ...
Michael Altfield's user avatar
  • 1,196
0 votes
1 answer
138 views

Why would an OAuth implementation choose to use the Authorization Code Grant -- when it means that the access tokens are leaked to a third party? I've been using API keys for a package on my server to ...
Michael Altfield's user avatar
  • 1,196
0 votes
0 answers
114 views

What questions should I ask to determine if a given OAuth implementation is secure? I've been using a wordpress plugin for payments that authenticates with the payment gateway with an API key. I like ...
Michael Altfield's user avatar
  • 1,196
1 vote
1 answer
100 views

Basically I am doing a GET on this URL from SAP: https://www.thirdparty.be/webservices.php?m=get_private_information&o=json&u=username&p=password The third party webservice does use IP-...
Gerben Spoorwegen's user avatar
  • 11
3 votes
1 answer
380 views

I am studying the security considerations chapter of oauth2 RFC 6749, but I am a bit confused about Authorization Code Redirection URI Manipulation paragraph 10.6: "When requesting ...
Lorenzo Maselli's user avatar
  • 31
2 votes
2 answers
158 views

Scenario: A user logs-in to a web application and receives a JWT Token. The Token Service looks up user roles and adds them to the JWT Claims and all necessary signatures to the token. When the ...
Iftikhar Ali's user avatar
  • 123
0 votes
0 answers
135 views

I want to provide authorization for our native application. Requirements are like: It is a to-customer product. All features are integrated in the software provided to customer, like product = {...
user3059627's user avatar
  • 1
1 vote
2 answers
154 views

In the OAuth2 authorization code grant, in the case of a public client, what is the point of exchanging the authorization code for a token, rather than issuing a token directly?
Mr. B's user avatar
  • 75
2 votes
1 answer
378 views

In the oauth2 authorization code grant flow, if the client is not a web application, but rather a mobile application, how can the authorization server redirect to the client?
Mr. B's user avatar
  • 75
1 vote
0 answers
196 views

I’ve been using the Microsoft ASP.NET Identity Library. It’s a basic authentication and authorization system that is a DLL that stores everything in my app’s DB. It has screens for forgotten password, ...
David Thielen's user avatar
  • 513

15 30 50 per page
1
2 3 4 5
32