Continued thread
OMG WTF SSO: A Beginner’s Guide to #SingleSignOn (Mis)configuration, posted 20241126,
by Adina B-O'B,
https://www.youtube.com/watch?v=8iRoAl56uWo
#authorization
3 posts3 participants0 posts today
MCP Gets OAuth: Understanding the New Authorization Specification | MCP Dev Days.
https://www.europesays.com/us/95396/ 12,000 Stater Bros. workers authorized to strike after union vote #89YearHistory #Authorization #Ca #california #clerk #Company #friday #Inflation #La #LaborContract #LosAngeles #LosAngeles #SouthernCaliforniaUnion #StaterBros.Worker #store #strike #SupermarketChain #surveilling #Union #UnionVote
OAuth 2.0 Access Tokens and the Principle of Least Privilege | by Andrea Chiarelli.
https://auth0.com/blog/oauth2-access-tokens-and-principle-of-least-privilege/
Auth0 - BlogOAuth 2.0 Access Tokens and The Principle of Least PrivilegeBoost your API security. This guide covers the principle of least privilege for OAuth 2.0 access tokens, granular scopes, and token valid...
Here's a new-to-me password spray tool that looks a hell of a lot more functional that Burp Intruder.
Continued thread
Another approach would be if Alice could generate multiple Passkeys and hand them out to individuals she trusts, and then retaining the ability to revoke them. Sadly many sites don't yet support Passkeys, and this model still lets someone like Mal revoke Alice's access, so that's not great.
Bitwarden has a feature whereby Alice can share a password with Eve but not let her see it or export it. This could work pretty well, except that if the site requires 2FA from a SMS text message (vs TOTP or a token) or if Eve has the knowhow to intercept the password.
I still think that what we ultimately want is attenuated scopes because then we can track all actions by the delegated party.
I do wonder if this need is niche or if the current solution of "good faith password sharing" works well enough often enough that it's not risen to the level of concern for developers.
2/2
I've been thinking about delegated authority on websites lately.
It would be convenient if I could delegate certain functions to people, for example allowing someone like my accountant to have access to some of my financial records.
Some organizations make this easy, allowing me to have multiple accounts.
Other services don't offer this, nor do they offer any kind of OAuth type of delegated authorization or capabilities model.
I've been thinking about ways around this.
One very wacky way would be if Alice could have a a "special browser" that would tie into some service she runs. Bob would log in with his credentials and then behind the scenes the application logs in as Alice.
This would be very complicated to implement though.
1/
Critical API Security Failures That Could Break Your Business (And How to Prevent Them) APIs have become the connective tissue of modern software ecosystems, driving integrations, enabling automati...
#blog #Security #Access #Control #API #Governance #API #Security #Authentication #Authorization #CORS
Origin | Interest | Match
#blog #Security #Access #Control #API #Governance #API #Security #Authentication #Authorization #CORS
Origin | Interest | Match
Nordic APIs · Critical API Security Failures That Could Break Your Business (And How to Prevent Them) | Nordic APIs |Learn the top API security gaps and how to fix them — from weak auth to misconfigurations — with advice from industry expert Adriano Mota.
Ann: Launched Open Collective for Ruby OAuth gems (oauth, oauth2, & others)
I've been the primary maintainer of OAuth tools in Ruby since 2017. In this move toward supporting myself with open source work I need your help!
https://opencollective.com/ruby-oauth #Ruby #OAuth #Authorization #Security #OIDC
opencollective.comThe Ruby OAuth Collective - Open CollectiveDevelop and maintain OAuth 1.0, 2.0, and 2.1 client libraries for Ruby, including oauth, oauth2, oauth-tty
https://www.europesays.com/us/29617/ Jakarta EE 11 Delivers One New Specification, 16 Updated Specifications and Modernized TCK #Annotations #Architecture&Design #Arts #ArtsAndDesign #Authentication #Authorization #BeanValidation #CDI #Concurrency #Design #Development #Entertainment #JakartaEE #JakartaEe11Updates #Java #Persistence #Security #Servlets #UnitedStates #UnitedStates #US #WebServices #WebSocket
Путеводитель по Ktor JWT auth на стороне сервера
Документация Ktor по server-jwt неполна. Если необходимо сделать что-то за рамками «Hello world», придется лезть в исходники и городить костыли. Какой-то консистентности и предсказуемости ждать не стоит, возможно, не обошлось без заговорщиков . Статья покроет необходимую базу для работы с JWT и убережет от множества подводных камней.
ХабрПутеводитель по Ktor JWT auth на стороне сервераДокументация Ktor по server-jwt неполна. Если необходимо сделать что-то за рамками «Hello world», придется лезть в исходники и городить костыли. Какой-то консистентности и предсказуемости ждать не...
Please Don't Write Your Own MCP Authorization Code | by Den Delimarsky.
den.devPlease Don't Write Your Own MCP Authorization Code · Den Delimarsky
More from 
Den Delimarsky
Fine-Grained Access Control with Open Policy Agent (OPA) and Rego Implement secure, decoupled authorization logic using policy-as-code. In modern software systems—especially distributed architect...
#Software #Development #Access #Control #Authorization #Architecture #Open #Policy #Agent #(OPA) #Policy-as-Code
Origin | Interest | Match
#Software #Development #Access #Control #Authorization #Architecture #Open #Policy #Agent #(OPA) #Policy-as-Code
Origin | Interest | Match
Java Code Geeks · Fine-Grained Access Control with Open Policy Agent (OPA) and Rego - Java Code GeeksLearn how to implement fine-grained access control using Open Policy Agent (OPA) and Rego. Discover how to decouple authorization logic
Trump’s effort, combined thrust of his other #constitutional transgressions, uniquely dangerous. No indication he gave any thought to seeking #congressional #authorization. As self-concerned, immature a commander-in-chief as country has had, he likely acted, as always, out of crass self-interest. #Israel surprisingly successful #bombardment of last week put him in position to be a winner by finishing off the job—very possibly the only thing that was in his #lizard #brain. https://harrylitman.substack.com/p/trumps-strike-on-iran-and-the-constitution
Talking Feds Substack · Trump’s Strike on Iran and the Constitution — and Iran’s Retaliation
https://www.europesays.com/us/7694/ Spring News Roundup: Spring Vault Milestone, Point Releases and End of OSS Support #AMQP #ApacheKafka #ApachePulsar #Architecture&Design #Arts #ArtsAndDesign #Authorization #Design #Development #Entertainment #Java #OpenSource #SpringBoot #SpringIntegration #SpringModulith #SpringNewsRoundupJun162025 #SpringSecurity #UnitedStates #UnitedStates #US
#Trump faces #bipartisan blowback in #Congress on #Iran strikes Why it matters: While most #congressional #Republicans some pro-Israel #Democrats are praising President Trump's strikes on #Iranian #nuclear facilities, pockets of #opposition are already emerging over whether he needed congressional #authorization for such a #provocative use of #military #force. Yes, he did need Congressional #authorization..why is there even a question. #warpowers #foreign #policy #retaliation #democracy #war
Mastering API Handling in React & Vanilla JS – One Step at a Time!
This week, I deep-dived into handling APIs in React and Vanilla JavaScript – not just fetching data, but doing it efficiently and securely which includes: Fetch, CRUD, Query Params, Auth, and AbortController Explained
#ReactJS #JavaScript #WebDevelopment #Frontend #APIs #AbortController #Authentication #Authorization #AsyncAwait #LinkedInLearning #100DaysOfCode
https://dev.to/shubhamtiwari909/handling-apis-in-frontend-a-complete-guide-fmo
DEV CommunityMastering API Handling: Fetch, CRUD, Query Params, Auth, and AbortController ExplainedHello my frontend developer friends, today i will be sharing some useful snippets for handling apis...
