Tips, Expertise, Articles and Advice from the Pro's for Your Website or Blog to Succeed
Depending on who you listen to, JWTs are either a panacea for all your authentication problems or should be avoided like the plague.
A JWT, or JSON Web Token, is a string/token issued by the server that asserts properties contained in its “payload”. Its most common use case is for authentication (OAuth 2.0 + Open ID Connect) and session management.
This week, we have details of a vulnerability in the AI platform Wipro Holmes Orchestrator, allowing the download of arbitrary files via path manipulation. There's also a new report from researcher Alissa Knight on vulnerabilities in banking, cryptocurrency exchange, and FinTech APIs; an article on the impact of a shift-left approach for API security; and 31 tips for improving API security.
This week saw the disclosure of a vulnerability that affected the AI platform Wipro Holmes Orchestrator, as detailed in this disclosure and tracked as CVE-2021-38146.
There seems to be a lot of misinformation on when OAuth 2.0 (henceforth referred to as OAuth) is appropriate for use. A lot of developers confuse OAuth with web session management and hence end up using the wrong protocol/set of technologies. This, in turn, leads to security issues. This article will clarify when to use regular session management solutions and when to use any one of the OAuth flows.
Ideally, we would like all authenticated communication to be long lived (to provide the best user experience). The difference between user session management and OAuth is the level of trust between the communicating parties.