access-token

This is my setup: 1 authentication server which gives out JWT token on successfull authentication. Multiple API resource servers which gives information (when the user is authenticated). Now I want to build my ASP.NET MVC frontend. Is it ok to take the token, which I receive after authentication, and put it in a cookie so I can access it with every secured call I need to make? I use the RestSharp DLL for doing my http calls. If it has a security flaw, then where should I store my token? I would use this code for the cookie: System.Web.HttpContext.Current.Response.Cookies.Add(new System.Web

I have access token from the server after authentication lets say "uyhjjfjfgg567f8fhjkkf" now I want to save it in the device securely. I looked in Keystore and Keychain in android developer sites. I dont clearly understand how it works and how we should retrieve the token from the keystore. KeyPairGenerator kpg = KeyPairGenerator.getInstance( KeyProperties.KEY_ALGORITHM_EC, "AndroidKeyStore"); kpg.initialize(new KeyGenParameterSpec.Builder( alias, KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512) .build()); KeyPair

I'm trying to create a JWT to authorize with a service account as described in Google documentation using System.IdentityModel.Tokens.Jwt . I have the following code: byte[] key = Convert.FromBase64String("..."); var certificate = new X509Certificate2(key, "notasecret"); DateTime now = DateTime.UtcNow; TimeSpan span = now - UnixEpoch; Claim[] claims = { new Claim("iss", "email@developer.gserviceaccount.com"), new Claim("scope", "https://www.googleapis.com/auth/plus.me"), new Claim("aud", "https://accounts.google.com/o/oauth2/token"), new Claim("iat", span.TotalSeconds.ToString()), new Claim(

I have an issue that my Instagram API access token keeps expiring frequently and I red the document and understood that although the token wouldn't expire generally, Instagram may decide to expire a token any time for any security reason or whatever reasons. I know that when it expires, I need to set up an authentication process and request for a new token and all those of things. But the problem is that my app is just retrieving my own feeds to show on my own website, once the token expires it doesn't make sense to set up such a process, the only thing I can do is to manually retrieve and

I'm building a JWT-based (JSON Web Token) authentication mechanism for an browser-based Javascript web app, working with a stateless server (no user-sessions!) and I want to know, once and for all, if using storing my JWT token in a cookie will protect my token from XSS attacks, or if there is no protection, so there's no real advantage over using browser local storage in my Javascript app. I have seen this question asked and answered in SO and in many blogs, but I've never seen an answer that really satisfies me. This question was originally held on the basis that it solicits opinion - and

I've got a Web API project fronted by Angular, and I want to secure it using a JWT token. I've already got user/pass validation happening, so I think i just need to implement the JWT part. I believe I've settled on JwtAuthForWebAPI so an example using that would be great. I assume any method not decorated with [Authorize] will behave as it always does, and that any method decorated with [Authorize] will 401 if the token passed by the client doesn't match. What I can't yet figure out it how to send the token back to the client upon initial authentication. I'm trying to just use a magic string

Thanks to this answer I am able to connect to Firebase 3 via HTTP REST API and an email/password. Logging in with this API returns an access token that is used to access the Firebase Database. This access token expires after 1 hour. A refresh token is also returned after logging in, which I can use to refresh my access token. Here is what I am doing specifically: Method: POST URL: https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?key=<my-firebase-api-key> Payload: { email: "<email>", password: "<password>", returnSecureToken: true } Response: { "kind": "identitytoolkit

I am building an API in Yii 1.x which will be used with a mobile application. Part of the process involves a login (with a username and password) using the following JSON request below:- // Request sent with username & password { "request" : { "model" : { "username" : "bobbysmith", "password" : "mystrongpassword" } } } // If successfully logged in return the following response { "response": { "code": 200, "message": "OK", "model": { "timestamp": 1408109484, "token": "633uq4t0qdtd1mdllnv2h1vs32" } } } This token is quite important - once a user is logged in on the app I'd like them to have

I thought that OAuth is basically a token based authentication specification but most of the time frameworks act as if there is a difference between them. For example, as shown in the picture below Jhipster asks whether to use an OAuth based or a token based authentication. Aren't these the same thing ? What exactly is the difference since both includes tokens in their implementations ? This is a good question -- there is a lot of confusion around tokens and OAuth. First up, when you mention OAuth, you are likely referring to the OAuth2 standard . This is the latest version of the OAuth

I need to be able to use a refresh token to be able to re-authenticate a token after the access token has expired. How can I do this using the C# v3 API? I've looked at the UserCredential class and AuthorizationCodeFlow class and nothing is jumping out at me. I'm using the following code to authenticate it originally. var result = await new AuthorizationCodeMvcApp(this, new AppFlowMetadata()). AuthorizeAsync(CancellationToken.None); if (result.Credential != null) { var service = new YouTubeService(new BaseClientService.Initializer { HttpClientInitializer = result.Credential, ApplicationName =