I may have found a way much simpler to handle this : use axios.interceptors.response.eject() to disable the interceptor when I call the /api/refresh_token endpoint, and re-enable it after. The code : /** * Wrap the interceptor in a function, so that i can be re-instantiated */ function createAxiosResponseInterceptor() { const interceptor = axios.interceptors.response.use( (response) => … Read more
You can use this to prevent cookies from being stored and clean cookies already stored: CookieSyncManager.createInstance(this); CookieManager cookieManager = CookieManager.getInstance(); cookieManager.removeAllCookies(callback); cookieManager.setAcceptCookie(false); WebView webview = new WebView(this); WebSettings ws = webview.getSettings(); ws.setSaveFormData(false); ws.setSavePassword(false); // Not needed for API level 18 or greater (deprecated)
There’s another, very secure method. It’s client certificates. Know how servers present an SSL Cert when you contact them on https? Well servers can request a cert from a client so they know the client is who they say they are. Clients generate certs and give them to you over a secure channel (like coming … Read more
First I’d like to emphasize the difference between authentication and authorization: A user authenticates to your web site by supplying some credential such as a username+password. OpenID allows this to be displaced by having the user authenticate to another service, which then asserts the user’s identity to your web site on the user’s behalf. Your … Read more
For this to work with Spring Security 5 and Feign you need to have a working Spring Security config a Feign interceptor a Feign configuration using that interceptor Working Spring Security Config Here we will register a generic internal-api client for your oauth2 client credentials. This is where you specify the client-id,client-secret, scopes and grant … Read more
Having not been able to get Uri.EscapeDataString to take on RFC 3986 behavior, I wrote my own RFC 3986 compliant escaping method. It leverages Uri.EscapeDataString, and then ‘upgrades’ the escaping to RFC 3986 compliance. /// <summary> /// The set of characters that are unreserved in RFC 2396 but are NOT unreserved in RFC 3986. /// … Read more
I found a part of the solution in this blog post: http://leastprivilege.com/2013/10/31/retrieving-bearer-tokens-from-alternative-locations-in-katanaowin/ So I created my own Provider as follows: public class QueryStringOAuthBearerProvider : OAuthBearerAuthenticationProvider { public override Task RequestToken(OAuthRequestTokenContext context) { var value = context.Request.Query.Get(“access_token”); if (!string.IsNullOrEmpty(value)) { context.Token = value; } return Task.FromResult<object>(null); } } Then I needed to add it to my … Read more
After digging manually through the configuration classes I was able to find and add the following, which did the trick… security.oauth2.client.pre-established-redirect-uri=https://[application_host]/login security.oauth2.client.registered-redirect-uri=https://[application_host]/login security.oauth2.client.use-current-uri=false I’m not convinced there isn’t a better way to solve the problem of forcing a HTTPS redirect URL, but this fix worked for me.
JWT (RFC7519) is just a compact way to safely transmit claims from an issuer to the audience over HTTP. JWT can be: signed (JWS – RFC7515) encrypted (JWE – RFC7516) signed then encrypted (this order is highly recommended). The whole JWS is the payload of the JWE encrypted then signed. It makes sense to encrypt … Read more
Summary: I would just take the risk and keep the secret in the client app. Proxy server alternative: The only way you can reasonable mitigate the problems I list below and make the proxy-ing work, would be to go the whole nine yards – move all the business logic for dealing with the resources on … Read more