Is it safe to use third party OIDC ID Token as our APIs bearer token?

Practically, we are outsourcing the authentication of our users to a third party application, that’s, needless to say, external to our system. I am not sure if this is actually advisable, but from our perspective, since we don’t really want to maintain security credentials ourselves, we thought that it makes sense to leave that to the hands of a more capable party. For now we intend to use them mainly as identity provider, because we find their authorisation support hard to use. To be clear, at the moment, we do not require any access to any other resources at the side of the identity provider beyond the user profile; the authorisation I’m referring to is for our own system. Because of this, acquiring an ID token from the trusted identity provider seems to be good enough for our purposes.

We intend to internally keep track of references to the user id provided through the id token (e.g. the JWT sub claim) for the purpose of attaching our own authorisation details to them. I’m thinking that since this is the case, because the ID token provides us enough information to be able to pull authorisation details about the user, we don’t really need anything else. I’m not sure however, if this is a sound approach or there’s a security risk in this kind of flow.

In this setup, for our own API we’d have to use the external IdP for authentication, but we’d probably need to be issuing the access tokens ourselves to our clients.

Retrieving CSRF token from third party website form using XHR (JavaScript)

I know they say CSRF tokens are the most secure way to prevent CSRF attacks but what if someone uses XHR to retrieve the page containing the csrf token along with the form and then use that token for his attacks?

Why they don’t say “Referer” header is the most secure way to prevent CSRF attacks? Afterall nearly 99% of the currently in-use browsers will provide “Referer” header and the attacker cannot change it in anyway. (Yes, he can’t, unless the browser/OS itself is compromised)

Now that I protect my website using “referer” header, do I really need csrf tokens? All my important requests are using POST and not GET method.

Is it safe to encrypt a user’s third party API key with their own password?

I’m running a node application which needs to make calls to a third party API, on behalf of my user, using their own API keys.

API calls only need to be made on behalf of the user while they are logged into my site.

Currently I use bcrypt to hash and compare their password:

bcrypt.hash(req.body.password, 12, function (err,   hash) {... bcrypt.compare(req.body.password, users[req.body.username]['password'], function (err, result) {... 

I thought when a user adds their API key to the website I could require their password again, and after validating the password, I could use the encryption method Here to encrypt it (with their plaintext password as the key)

When a user logs in, I could validate their password, decrypt their API key using method from link above (and their password), and store the API key in plain text using express-sessions, ready for making calls on user request.

With this method if the user losses the password they will have to reset their API keys. I’m happy to accept that trade off.

Is this approach safe or is there something I’m overlooking?

whois – The Sponsored Listings displayed above are served automatically by a third party

I was scammed by someone. I know his domain name. I tried to search about him on who is but it shows ” The Sponsored Listings displayed above are served automatically by a third party. Neither Parkingcrew nor the domain owner maintain any relationship with the advertisers.”

How to get the information ?

Inverse of Third Party Authentication

Consider this scenario. I have a file hosted on AWS with private access. I want the file to be accessible to several authorized users of a web applicaton that I have built. As I am the one authenticating these users, how do I tell AWS to delever the file only to users authenticated by my applicaton?

This seems somewhat like Oauth turned around where I am the third party authenticator between Amazon and the user. It seems like a common paradigm but I’m ignorant and can’t think of what to even search for. Any help appreciated.

Webhook sending Purchase Details to handling Purchases from a Third Pary Service Secure?

I’m developing a mobile application for a client that sells digital courses on a service called Teachable that hosts their website and handles the purchase process for them. My client wants to keep using this service for the purchase process and when a user bought a course, he should have access to it on my app.

Now I did some research on Teachable. To my knowledge, it does not a provide a API or some sort of oAuth provider. However it does offer webhooks.

I though about a way to implement this behaviour but I have some concerns about my idea, so I would like to hear opinions from more experienced developers in the security field. My Idea goes like this:

  1. Lets assume Alice buys a course called “Awesome Course 1”.
  2. The Teachable webhooks sends me a json object to my server, that include the following properties: { email: Alice@gmail.com, courseName: Awesome Course 1, courseId: 123}
  3. Now In my Database, I create a random Id and add this json object to it. So I have something like this: RandomKey987: { email: Alice@gmail.com, courseName: Awesome Course 1, courseId: 123}
  4. I send Alice a mail that contains the Id RandomKey987
  5. Alice goes to my app, creates an account/logs into her account (that is completely independent of the Teachable Mail/Account she used to buy the course) and enters the Id RandomKey987 in a form, to unlock her course in my app
  6. On my Server, I create a Database entry under Alice’s field to mark that she bought the course associated with the Database Entry RandomKey987, which in this case is the course “Awesome Course 1”
  7. I delete the Database Entry RandomKey987, so no one can unlock this course a second time.

Now my concers are:

  1. An Adverary could just send a similar Json Object to like in Step 2., that doesn’t come from Teachable. The Attacker would need to know the http endpoint of my webhook and a valid courseId, wich I’m not sure if I can keep these private. Teachable does not provide an API where I could make a request, to validate, that the Json Object indeed refers to a valid purchase. Would be an imaginable solution, to just keep the http enpoint and the courseIDs private?

  2. It won’t be possible to guess the Id for a purchase in my database but could there be another way to get the key I send via email? Assuming no other person then Alice can read this email, this should not be a problem right?

Whats your opinion on this? Did I overlook an imporant security apect? Is there a better way to handle this problem?

Third Normal Form and Boyce Code normal form

I know that this is not a question answer site but for sake of explaining my doubt I have to post the entire question..

Consider the following statements.

If relation R is in 3NF and every key is simple, then R is in BCNF If relation R is in 3NF and R has only one key, then R is in BCNF  Both 1 and 2 are true 1 is true but 2 is false 1 is false and 2 is true Both 1 and 2 are false 

Ans given is $ a$ , but how can it be so?

I agree with the first statement but for the second one consider that we have a relation $ R={\{A,B,C,D\}}$ where $ AB$ is the key, and say $ C->B$ then it satisfies $ 3nf$ right? But it is $ NOT$ in $ BCNF$ right? as here we have $ non-prime$ $ deriving$ $ a$ $ prime$ $ attribute$

Storing third party API tokens in a database

This is my first question so if there are many mistakes with formatting or if there are any standards I should follow please let me know.

Currently I have a Node JS project that uses the Spotify API. The project displays the the users top played artists and tracks. I am following the Authorization Code Flow to obtain the access token. This access token will he used to query certain endpoints to obtain a JSON response of the data that will be used for my project. This token lasts an hour. I am currently storing this access token in a cookie and using this cookie to make new requests.

My question is is this acceptable from a security standpoints? This token does not have the ability to change any of the users profile settings or read sensitive data. However, if another person were able to obtain this token they could use this to see another users data. Or would it be more secure to store this access token in a database an query the database for access tokens whenever need?

Proving authenticity of data accessed over TLS by an untrusted third party

Is there any way an untrusted third party who has access to content from a website over HTTPS can prove the authenticity of the data (i.e. that it was distributed by a server in possession of a specific TLS private key)? The way TLS works makes it such that a packet capture and copy of the master key is insufficient to prove authenticity, since the HMAC key is derived from the master key, which makes it possible to forge the message. Because the third party is untrusted, having them verify the TLS themselves then endorse the authenticity by digitally signing the material is not a solution either.

I’m pretty sure there is no solution under these constraints, but there may be something I missed.