What is the difference between cardReference and token in parameter of
Omnipay
cardReference should always be used by preference. token can sometimes be used as a synonym for cardReference but often means something else, such as in the PayPal gateway "token" is used as an authentication parameter.
Related
I am making an application that generates refresh token that implements JWT token authentication, and I am not sure what format should I use to identify the refresh token. Initially, I thought that it should be in JWT token format, but based on my googling, it seems like it is represented in a UUID or hashed format? Just wondering whether I should make it JWT token format, or it does not matter in the case of refresh token?
Thanks in advance for helping to clarify this issue.
From here https://developer.okta.com/docs/guides/refresh-tokens/main/ refresh token response it shows the refresh token format is not in JWT format.
First decide how you want to model this, which might work like this:
User authenticates (and optionally consents)
Create a delegation to represent the user action
Delegation is stored as a database row
Fields include sub, client_id, refresh_token_hash, scopes_issued, claims_issued, issuance time, expiry time
Subsequent token requests are validated against the persisted state
The hash might be the returned to clients, or they may be given a different identifier. It is a pointer to backend state.
You might also need to implement support for refresh token rotation, revocation, auditing of tokens issued and so on. Consider using an authorization server, as described in RFC6749, to handle this stuff for you.
I created a server that accepts post requests from a 3rd party webhook.
The webhook doesn't allow me to use any type of auth when it sends the request.
The only solution I can think of is passing some sort of token as a query parameter in the webhook so when it hits my server I can find the query parameter and do some type of decryption.
Is this a really bad practice? Also, what type of key would I use for this?
I didn't make such decisions with implicit flow (I know it's not so good to use it), but I currently have situation where I have to validate my access token on backend(Java 8). Is it okay for every request with access token additionally call oidc provider to check if token is active(not revoked, with valid lifetime) or there is more appropriate way how to handle it? Anyway thanks
sorry if this is question is too broad, but I have to ask this since I'm learning web development and I feel if don't ask I won't know.
So, I'm doing authentication using oauth2, and right now I'm already at point where I successfully authenticate user, and now I'm receiving what they call tokens. The question is, how do you use token to authenticate user to your own server?
I'm thinking something like creating a cookie that maps to a token, so when user acts, each time I'll get a cookie and I know that this is user A. Is method like this safe or not? If not, in what way people usually use the token? Although this is only a hobby project, I'd like to be "as real as possible". Any thoughts?
As per my knowledge Oauth2.0 provides InMemoryTokenStore and JdbcTokenStore for persisting tokens. When a request comes from an authenticated user Oauth2.0 will check if it has a valid token already. In case it doesn't it will create one.
Basically usage of tokens depends on the grant-type you are using . Following are the two commonly used grant types -
1) Implicit - The token is send back in the url as a parameter and is included in the subsequent request* in the parameter.
2) Authorization Code - In this case the token is generated and set in the header of the request*.
*the request here is the one which is finally sent to resource server for accessing protected resources.
I think you dont need to create a cookie for storing tokens. In case you are using Authoziation Code grant type which is the default, Oauth2.0 will use session for storing state and code which will be used for retrieving token.
The specification here
http://msdn.microsoft.com/en-us/library/windowsazure/jj710106.aspx
states that the response body contains the "original authentication token". However, even in the example it is different from the one originally sent to the server. What is the difference between these different tokens, why are they called the same and how should they be used?
The documentation is incorrect. The token sent to the service is a Live SDK token; the token returned by the service is an Azure Mobile Services token. It currently wraps the given token, adding more information specific to the mobile service, but that's an implementation detail which can change in the future (in other words, you should always treat the token returned by the call as an opaque blob of data) - as long as you keep passing that token along in subsequent calls, those calls will consider to be authenticated.
I'll pass this information along to the team to have them fix the documentation, thanks for pointing it out.