JSON Web Token – why is the payload public?
I can’t understand the reasoning for making the claims/payload of a JWT publicly visible after base64 decoding it.
Can not verify JWT
I got a problem, looking forward to the help of everyone.
RefreshToken Save or Not Save
Generaly, in Application, RefreshToken that Issued, is stored in redis or other db system.
Are authorization tokens needed to verify a user on a captive portal?
I’m developing a captive portal. There is a website, there is a server on nodejsexpress, there is freeradius.
Question: Is it necessary to somehow protect the user account? For example, use tokens (refresh, access) to check the session on the site? Or am I already suffering from bullshit.
OWASP Broken Access Control by example: preventing user’s from reading/writing data that isn’t theirs
I have experience building RBAC-based authorization mechanisms, and understand the theory behind ACLs (DAC?) though I’ve never had the need to implement them.
What are the advantages of refresh token?
A good auth system contains access and refresh tokens. I know what access-tokens are for and I know what refresh tokens DO – but I don’t understand their meaning.
For example:
If I authenticate myself successfully to an API, then I get an access token and a refresh token. If a bad guy steals my access code, he can access the API maybe the next 5 minutes or so. But if he steals my refresh token which maybe expires in 6 months he can give himself every time a new access-token and so he can stay longer in the system.
So what are the advantages of refresh tokens – I don’t see them?
How to handle Authorized & Non-Authorized Routes in Microservices with Tokens
0 Context Suppose there is a e-commerce microservice architecture with the format: In summary, a client will contact the Auth Service / Identity Service to receive a token. It passes the token to the API gateway, which verifies the token, and forwards the request. That being said, there are services that need to be accessed […]