oauth-2.0

问题 If I have an app and an api . If the app logs in through authorization server and sends the authorization: Bearer xxx header with each request, the api can verify the token locally. When the user logs out (through the auth server), but the token has not yet expired if someone retrieves this token they will be able to make requests (if the authentication of the token is done locally on the server), is that correct? If thats the case, why is such a logout flow considered secure? Edit:

问题 I'm pretty new to Android app development so please forgive my naivety. I'm currently trying to develop an app that can pull data from a google spreadsheet and write data to it. I've completed the quickstart tutorial so my code is the same as that right now. It all works correctly. My issue is I need to be able to read from my own spreadsheet and I don't really understand the code used so I'm struggling to know where to start. I've looked at this to try and implement the authorisation in

问题 I am following Authentication code flow with PKCE and my Identity provider is Azure Active directory. I have created a App , "client-app" from App Registrations. In the manifest I have added appRoles like the following. "appRoles": [ { "allowedMemberTypes": [ "User" ], "displayName": "StoreGroupManager", "id": "47fbb575-859a-4941-89c9-0f7a6c30beac", "isEnabled": true, "description": "Consumer apps have access to the consumer data.", "value": "StoreGroupManager" } ] I am assigning this role

问题 I have my gmail extension running successfully with some good number of users. Now I've added some new functionality to that which require some additional restricted gmail permissions. As this is an extension, so if I deploy new changes to that without verification of new scope, users (new and old both) who will use new functionality of extension will see unverified consent screen. So, I want to know if it's possible to submit dev or test app for oauth verification, while using production

问题 We need to read out distribution lists from a contact folder of a dedicated exchange/outlook mailbox (O365). The process must run as a service with no user interaction. Unfortunately the Graph API does not support distribution lists (not even the Graph beta version does). Because of this we have to use another API - I tried using EWS. I succeeded by granting full_access_as_app permission to our service. However this allows to read and modify ANY data in ANY mailbox which is a security risk.

问题 I had implemented authentication to my bot application by referring here. I had successfully implemented and able to sign in but application is authenticating user using magic number. Is not there any way to disable magic number? Note: I had created bot application using Bot Framework V4 回答1: There have been improvements to the channels to support new authentication features, such as new WebChat and DirectLineJS libraries to eliminate the need for the 6-digit magic code verification. You can

问题 In principle, should any existing OAuth 2.0 refresh tokens (for a given client/user combination) be revoked when a new refresh token is issued following a password grant authentication? I can't find anything specific in the spec. Would it be legitimate to reissue the same refresh token for subsequent password logins? 回答1: The OAuth Spec section-6 specifies that: The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it

问题 New to spring boot and I'm working on an application that already had some Oauth2 authentication done for signing in with azure. I was tasked with setting up some auth for another API and now I have two registrations(client id/secret/grant-type) in my application-local.properties . spring.security.oauth2.resource.jwk.key-set-uri=xxxxxxxx spring.security.oauth2.client.registration.azure.client-secret=xxxx spring.security.auth2.client.registration.azure.client-id=xxxxx spring.security.oauth2

问题 I am trying to generate a OAuth Token for OneDrive by using Postman. I just wanted to ask for clarification as to what the Auth URL, Access Token URL and scope would be? I have tried it with: Auth URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token Scopes: wl.signin However, I keep getting an error around the scope is not correct. Just for sanity check are these the correct settings? 回答1: Please refer

问题 I am trying to generate a OAuth Token for OneDrive by using Postman. I just wanted to ask for clarification as to what the Auth URL, Access Token URL and scope would be? I have tried it with: Auth URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token Scopes: wl.signin However, I keep getting an error around the scope is not correct. Just for sanity check are these the correct settings? 回答1: Please refer