Вход в феди-аккаунт с защитой от неверного порядка этапов через паттерн Typestate
https://git.dc09.ru/DarkCat09/crtsh-gts/src/branch/main/src/login.rs
#OAuth
🌗 JSON Web Token (JWT) 十週年與未來展望
➤ 網路安全標準十年演進與未來挑戰
✤ https://self-issued.info/?p=2708
本文回顧了 JSON Web Token (JWT) 在十年前成為 RFC 7519 標準的里程碑。JWT 及其相關規格已成為現代網路安全的重要基石,廣泛應用於身份驗證和授權。作者強調了 JWT 的成功,並介紹了持續進行的工作,以確保 JWT 在未來十年內的安全性,包括更新最佳實踐規範,以及修補已知的漏洞。
+ 感覺 JWT 已經是業界標準了,沒想到還有持續更新,確保安全真的非常重要。
+ 這篇文章讓我更瞭解 JWT 的發展歷程,也意識到網路安全需要不斷演進。
#網路安全 #JSON Web Token #OAuth #OpenID
X восстановился после масштабного отключения
После сообщения о пожаре, произошедшем раннее на этой неделе в штате Орегон не загружалась лента на X.
https://tefida.com/x-is-back-after-an-apparent-widespread-outage/
When to use __call__
https://blog.danwald.me/when-to-use-call?ref=twitter-share
#oauth #python #requests
@w_pettersson @schmidt_fu
I recently came along this project. I haven't tried it, but this may look like it would solve your problem.
#SMTP #OAuth proxy
https://github.com/simonrob/email-oauth2-proxy
I got n8n working with LinkedIn, Mastodon, etc. Can I get it to work with Fitbit? :blobcatthink:
In two weeks I'll be speaking at the MCP Dev Summit in San Francisco! It's going to be a great day packed with back to back sessions.
In less than a year, the MCP project has quickly reshaped how developers are building AI agents. My talk, "Intro to OAuth for MCP Servers", will cover the basics of the new MCP authorization protocol and set the stage for building secure MCP servers.
https://mcpdevsummit.ai/#agenda
In less than a year, the MCP project has quickly reshaped how developers are building AI agents. My talk, "Intro to OAuth for MCP Servers", will cover the basics of the new MCP authorization protocol and set the stage for building secure MCP servers.
https://mcpdevsummit.ai/#agenda
Interesting open letter from the CISO at JP Morgan Chase, calling out insecure SaaS integrations, and specifically lots of implicit/explicit criticism of #OAuth: poorly secured and broadly scoped long-lived bearer tokens are not a great idea. Hopefully we’ll see PoP (with keys in a KMS) becoming more widespread for these kinds of integrations.
(The letter is undated 😤 but I assume it’s recent - via @ladynerd on LinkedIn).
https://www.jpmorgan.com/technology/technology-blog/open-letter-to-our-suppliers
Hackers abuse #OAuth 2.0 workflows to hijack #Microsoft365 accounts
Just did a big rewrite of a docs page on dynamic identity providers in Duende #identityserver.
That was fun to dive in, and makes me appreciate the thought put in to designing both #aspnetcore and IdentityServer itself.
https://docs.duendesoftware.com/identityserver/ui/login/dynamicproviders/
(also big thanks to @khalidabuhakmeh for the fantastic preview images on new docs pages)
You can use JWTs for client authentication with OAuth/OIDC, but it does NOT require you to specify the `client_id` POST parameter. So you are supposed to parse the complete JWT token _first_ before validating the signature to extract the `sub`, which is actually the `client_id` of the client/RP in order to find the set of keys that can verify the JWT that you just parsed and used unverified. What the hell.
Google Email Systems Spoofed by Phishing Campaign Reusing Valid DKIM Signatures
#Cybersecurity #Gmail #Phishing #DKIM #DMARC #EmailSecurity #Google #Spoofing #OAuth #InfoSec #CyberAttack
⚠️ Phishers have found a clever way to spoof Google — and their emails pass all security checks.
A new DKIM replay phishing attack abuses Google’s own OAuth infrastructure to send fake messages that look 100% legitimate, including passing DKIM authentication.
What happened:
- A phishing email was sent from “no-reply@google.com”
- It appeared in the user’s inbox alongside real Google security alerts
- The message linked to a fake support portal hosted on sites[dot]google[dot]com — a Google-owned domain
- The attacker used Google OAuth to trigger a real security alert to their inbox, then forwarded it to victims
Why this matters:
- DKIM only verifies the headers, not the envelope — allowing this spoof to work
- The phishing site was nearly indistinguishable from Google’s actual login portal
- Because the message was signed by Google and hosted on a Google domain, it bypassed most users’ suspicions
- Similar tricks have been used with PayPal and other platforms, raising broader concerns
Google has since acknowledged the issue and is working on a fix. But this attack is a reminder:
Even the most secure-looking emails can be fraudulent.
Even Google-signed emails can be weaponized.
🛡️ At @Efani, we advocate for layered defense — because no one layer is ever enough.
#Cybersecurity #Phishing #Google #OAuth #DKIM #EmailSecurity #EfaniSecure #ThreatIntel
Bleeping Computer: Phishers abuse Google OAuth to spoof Google in DKIM replay attack. “In a rather clever attack, hackers leveraged a weakness that allowed them to send a fake email that seemed delivered from Google’s systems, passing all verifications but pointing to a fraudulent page that collected logins. The attacker leveraged Google’s infrastructure to trick recipients into accessing […]
Blogged: Implement client assertions for OAuth client credential flows in ASP.NET Core
#aspnetcore #dotnet #oauth #credentials #security #assertions
Client Info
Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst