Posts tagged 'oauth'

  • Announcing FusionAuth 1.43

    Announcing FusionAuth 1.43
    Dan Moore  |  Feb 16th, 2023

    FusionAuth version 1.43 shipped on February 15, 2023. This release includes the unification of SAML SP initiated and IdP initiated login configurations, enhanced support for PostgreSQL 15, options to relax SAML security measures to ease migration, and adds support for wildcards in redirect URLs. And more!

    READ MORE
  • What happens to the tokens after an OAuth Authorization Code grant?

    What happens to the tokens after an OAuth Authorization Code grant?
    Dan Moore  |  Jan 19th, 2023

    At the end of the OAuth Authorization Code grant, after a user presents their credentials at login, a code is returned which can be exchanged for one or more tokens at the token endpoint.

    These tokens include an access token, an optional refresh token, and an optional id token. The access token is used to get access to different APIs and protected resources. The refresh token lets you mint new access tokens, and the id token is used by the client to display information about the user.

    READ MORE
  • Is the OAuth Device grant right for your game authentication needs?

    Is the OAuth Device grant right for your game authentication needs?
    Success Ologunsua  |  Sep 1st, 2022

    The OAuth device authorization grant is an extension of OAuth 2.0. Because OAuth is an authorization protocol, it enables users to gain access to an application or device by allowing it to use account information from another application or device.

    READ MORE
  • Why is there no authentication in OAuth?

    Why is there no authentication in OAuth?
    Dan Moore  |  Jun 14th, 2022

    OAuth, a standard for securely delegating authorization information, and OIDC, a profile written on top of it to securely transmit user profile data, both rely heavily on authentication of the user (also known as the ‘resource owner’) at the authorization server. The authorization server issues tokens only after the user has been authenticated to its satisfaction.

    However, there is next to no guidance about how to actually authenticate the user. Should I use a username and password? A magic link? Delegate to a third party? Require a TOTP code?

    This question came up in a discussion amongst the FusionAuth team and I thought it was worth digging into a bit more.

    Why exactly is ‘authentication’ undefined in OAuth/OIDC?

    READ MORE
  • How to Set Up Single Sign-On Between FusionAuth and WordPress

    How to Set Up Single Sign-On Between FusionAuth and WordPress
    Aniket Bhattacharyea and Michael Roth  |  Dec 6th, 2021

    User authentication is one of the most important parts of building any application, and almost every application features some sort of authentication. However, it quickly gets difficult to manage authentication when you have multiple related but independent applications to maintain.

    READ MORE
  • CurrentDesk saved thousands of dollars by choosing FusionAuth

    CurrentDesk saved thousands of dollars by choosing FusionAuth
    Dan Moore  |  Jul 29th, 2021

    Brittany Roddy is a FusionAuth community member and lead software engineer and architect at CurrentDesk. She chatted with us over email about how she and her team are using FusionAuth to meet their auth needs.

    READ MORE
  • Why use a standardized auth protocol?

    Why use a standardized auth protocol?
    James Hickey  |  Jun 10th, 2021

    Software applications regularly need to gain access to data from other services on behalf of their users. An application may need to grab a list of user’s contacts from a third-party service, such as their Google contacts. Or it might need to access a user’s calendar so the application can create calendar entries for the user. Larger organizations often require employees to have passwordless access to all the applications and services needed to do their jobs.

    READ MORE
  • What's Wrong With the OAuth2 Implicit Grant?

    What's Wrong With the OAuth2 Implicit Grant?
    Brian Pontarelli  |  Apr 29th, 2021

    The Implicit grant is part of the OAuth 2 RFC, but is one of the features omitted in the OAuth 2.1 specification. With this grant, you don’t have to write server side code. Instead of having to exchange an authorization code for an access token, you are provided an access token on redirect.

    READ MORE
  • GNAP, the next generation of OAuth

    GNAP, the next generation of OAuth
    Dan Moore  |  Jan 7th, 2021

    The Grant Negotiation and Authorization Protocol, also known as GNAP, is currently being formulated in an IETF working group. This protocol will not be backward compatible with OAuth2. However, since it is a new major auth standard and is currently in development, you should give it some attention.

    READ MORE
  • How to securely implement OAuth in Ruby on Rails

    How to securely implement OAuth in Ruby on Rails
    Brett Guy  |  Dec 14th, 2020

    In this tutorial, we will walk through setting up a basic Ruby on Rails app to securely authenticate with an OAuth2 server using the authorization code grant.

    READ MORE
  • What's new in OAuth 2.1?

    What's new in OAuth 2.1?
    Dan Moore  |  Apr 15th, 2020

    Hey look! OAuth is getting spiffed up a bit. The original OAuth 2.0 specification was released in October 2012 as RFC 6749. It replaced OAuth 1.0, released in April 2010. There have been some extensions over the years. A new OAuth specification has been proposed and is currently under discussion. As of this blog post’s writing, the specification was most recently updated on March 8, 2020. If approved, OAuth 2.1 will obsolete certain parts of Oauth 2.0 and mandate additional security best practices. The rest of the OAuth 2.0 specification will be retained.

    READ MORE