1. Introduction When dealing with modern authentication flows, especially in web and mobile applications, security becomes the top priority.OAuth 2.0 introduced the Authorization Code Flow to enable secure access delegation — where users can grant access to applications without sharing their passwords. However, traditional Authorization Code Flow had a weakness — it relied on the…

Understanding the Need for JWT (The Problem with Sessions) 1. Introduction Before JSON Web Tokens (JWTs) became popular, web applications relied heavily on sessions for authentication. At first, this seemed simple and effective — a user logs in, the server remembers them, and everything works smoothly. But as applications evolved — from single servers to…

What Are Cookies? A cookie is a small piece of data stored on the client’s browser, sent by the server. It is used for various purposes like: Cookies are sent back and forth between the client and server with every request to a domain that set them. What Is an HttpOnly Cookie? An HttpOnly cookie…

What is the Refresh Token Grant Type? The Refresh Token Grant Type is a mechanism that allows a client (application) to obtain a new access token using a refresh token without requiring the user to log in again. Why is It Needed? Components Term Description Authorization Server The identity provider that issues tokens (e.g., Keycloak)…

When you use JWT in a React frontend, the typical workflow is: While this seems straightforward, security pitfalls often occur in how the token is stored and transmitted. An insecure implementation can expose sensitive information, allow attackers to impersonate users, or open your app to XSS/CSRF attacks. Best Practices for Secure JWT Handling in React…

1. Force Logout a User from Keycloak Admin Console When you know that only a specific user’s token is compromised, you can invalidate their session manually from the Keycloak Admin Console. Steps: What It Does: Why It’s Useful: 2. Logout All Sessions of the User This option is useful if the user is logged in…

1. Introduction A JWT (JSON Web Token) is a compact, URL-safe token format used for securely transmitting information between parties. It’s widely used in modern applications for authentication and authorization. A JWT is composed of three parts: All three parts are Base64URL-encoded strings, separated by periods (.). While the signature part is cryptographically secure and…

JWT Claims are the core data that a JWT token carries. These claims convey specific statements about a subject (e.g., a user), and are encoded in the Payload section of a JWT. 4.1. JWT Claims Set The JWT Claims Set is a JSON object containing a collection of name/value pairs called claims. These claims assert…

1. Introduction JSON Web Token (JWT) is a lightweight, compact, and URL-safe way to represent a set of claims between two parties. It’s especially useful in environments where bandwidth or storage is limited, such as: JWTs are typically used in web authentication and authorization flows. They allow claims (such as user identity or roles) to…

Mutual TLS (mTLS) uses both asymmetric encryption (public/private keys) and symmetric encryption (session keys) to provide strong authentication and secure communication. While certificates prove identity, symmetric keys are used for fast, secure data transfer. 1. What is a Symmetric Key? Key Characteristics: Analogy:Think of a locked box: the sender locks it with a single key,…