Vercel is advising Google Workspace administrators and Google account owners to check for the following application: OAuth App: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com
大多数人认为企业安全事件主要影响企业自身系统,但作者指出这次事件实际上要求普通Google Workspace管理员检查特定应用,这挑战了'企业安全事件仅影响企业内部'的常见认知,表明第三方应用的安全风险可能广泛影响普通用户。
Refresh tokens are bearer tokens. It's impossible for the authorization server to know who is legitimate or malicious when receiving a new access token request. We could then treat all users as potentially malicious.
But what about a Refresh Token flow? When using a refresh token, confidential clients also have to authenticate. Public clients, such as browser-based applications, do not authenticate during the Refresh Token flow. So in a typical frontend application, refresh tokens issued to frontend web applications are bearer tokens. In practice, this means that if an attacker manages to steal a refresh token from a frontend application, they can use that token in a Refresh Token flow. To counter such attacks, the OAuth 2.0 specifications mandate that browser-based applications apply a security measure known as refresh token rotation.
A combination of good cross-site scripting hygiene, a secure HTTP only cookie for authentication and a CSRF token is a good combination for building a secure ecosystem for your PWA and web API.
OAuth can be many things. It is most commonly used to allow an application (the consumer) to access data or services that the user (the resource owner) has with another service (the provider), and this is done in a way that prevents the consumer from knowing the login credentials that the user has with the provider
For each call to your API, user should send token with every API request and you should validate the encoded toke and either deny or send back the response.
Application credentials provide the required information about the caller making a request to a GCP API. Valid credential types include API keys, OAuth 2.0 client credentials, or service account keys.
it's not that there are new vulnerabilities that have been identified in the implicit flow, just that PKCE offers a more secure alternative that you should use if you have the option
Use PKCE instead of the implicit flow if you have a chance
PKCE (which stands for "Proof Key for Code Exchange" and is pronounced "pixie") was originally developed to solve a problem specific to native mobile apps using OAuth 2.0
PKCE (Proof Key for Code Exchange) is an extension to OAuth 2.0
While this has worked and continues to work for a wide range of web applications, security experts had (and continue to have) concerns that it leaves open some potential attack vectors
Implicit flow is still simple and very secure
click a button that says "Sign in with GitHub." I am then sent to GitHub to sign in and, if this is my first time, grant permissions
The Implicit flow: