Just came across this article: Apple CORED: Boffins reveal password-killer 0-days for iOS and OS X, by The Register. Since the news itself did not explain the nature of the attack well enough, I went onto reading the full paper: Xing, Bai, Li, Wang, Chen, Liao: “Unauthorized Cross-App Resource Access on MAC OS X and iOS” […]
Apple forcing developpers to use in-app browser instead of spawning Safari has been known as an extremely insecure practice for sometime. There many reasons that this was a bad practice both from security and usability point of view: An app developers can snatch user’s password No URL bar means user cannot have any visual cue […]
When John, Breno, and I started the OpenID Connect work, one of the target was to make it as simple as putting two files on the client file system and calling a few functions from the calling page. With OpenID Connect, we have actually achieved it. You do not believe? Let me show. Right – […]
OpenID 2.0 to OpenID Connect Migration (aka OID2 to OIDC Migration) is a spec that allows RPs to associate the old OpenID 2.0 identifiers to the new OpenID Connect identifiers without user intervention or extra round trip. The spec has been under development for approximately half a year and has recently gone into WGLC[1]. During […]
So, there has been a flurry of worries induced by the CNET and other articles [1] about “Covert Redirect”. Like Leandro Boffi wrote in his blog post [2], this is not a new attack. It is an attack that has been known for at least 6 years. It is very disappointing that, after this long years, […]
Celebrate! OpenID Connect 1.0 Final is here! After four and half years, or six years if we include the time needed to start the working group, finally, OpenID Connect is released as final. Like I have been explaining many times in this blog, OpenID Connect is something that forms “the identity layer” on the internet. […]
Many people seem to ask for the guidance on which grant / flow to use in OpenID Connect. Here is my straw-man answer. Conditions / Requirement code grant implicit grant hybrid grant Server is not directly reachable from the client x Want less round trip x x Do not want to reveal tokens for better […]
After the Berlin OpenID AB/C WG F2F meeting, I have been trying to refactor the Connect suites into more palatable form. I am supposed to create two sets of the refactored version. One for a granular split version and the other for a monolithic version. Some people like Torsten and Me push for a granular […]
OpenID Connect has many components. Sometimes, it seems confusing what to read for a new reader, or worse, intimidating. Here is a flow chart I created as a guide to a new reader. Hope this is going to be useful. Suggestions are welcome as well.
An OpenID Connect server is just an OAuth 2.0 server on steroids. What it does it to return the ID Token, which contains information about the authentication event for the user at the door, in addition to the Access Token. This article explains how to write a simple OpenID Connect server using an OAuth 2.0 […]