Are your APIs really secure? Are you sure?

Authors: D. Fett and Dima Postnikov.

D. Fett in OAuth 2

Nov 27, 2020

Improving OAuth App-to-App Security

Native apps are great for mobile OAuth flows. We describe the…

Torsten Lodderstedt in OAuth 2

Jan 9, 2020

Pushed Authorization Requests Draft adopted by OAuth Working Group

Torsten Lodderstedt in OAuth 2

Oct 31, 2019

Nice read.

Ajay Thomas

Thanks. PKCE is not an alternative to code. PKCE is an addition to the code flow to prevent code replay and it is recommended by the OAuth 2.0 Security Guidelines (https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-3.1.1).

Torsten Lodderstedt in OAuth 2

Sep 21, 2019

Rich OAuth 2.0 Authorization Requests

It’s been a while since I blogged about the new challenges arising from open banking and other use cases when it comes to OAuth authorization requests.

Meanwhile, I have been entertaining my ideas with a lot of smart people in the…

1 response

Torsten Lodderstedt in OAuth 2

Jun 30, 2019

But what about client secret?

Pratik Joshi

As I stated, use a public client (i.e. w/o a secret). That’s the same recommendation as for native apps (https://tools.ietf.org/html/bcp212). Clearly, the AS must take this into consideration when determining the level of trust it puts into the client‘s identity.