I had a great time Oauth Security Workshop 2026 in Leipzig. So many brilliant people.

#openid #oauth2 #wallet #credentials #osw2026

Current status back at home

🚨 NEWS: Autenticazione Moderna nel 2025: Passkeys, WebAuthn, OAuth 2.0 ed Eliminazione delle Password Classiche

Ecco i punti chiave in breve:
💡 Il sistema di autenticazione basato su password è ormai riconosciuto come il principale anello debole della sicurezza informatica. Ogni anno milioni di credenziali vengono rubate tramite phishing, dat...

🚀 LINK: https://meteoraweb.com/sicurezza-informatica/autenticazione-moderna-nel-2025-passkeys-webauthn-oauth-20-ed-eliminazione-delle-password-classiche

#webAuthn #passkeys #autenticazioneSenzaPassword #oAuth2.0 #fIDO2

75–80% of enterprise deals stall on authentication. SSO, SCIM, MFA — here's when you need what, and which platform to choose at each growth stage.

Full details here: https://ostechnix.com/why-startups-need-smarter-authentication-before-they-scale/

#Authenitcation #Security #Opensource #IAM #OAuth2

For a project I am working on I am currently researching the three Open ID Connect (OIDC) flows:

* Authorization Code Flow is clear
* Implicit Flow is to be avoided due to the potential for leakage of tokens

... and then there is the Hybrid Flow. I understand how it works, i.e. the sequence of steps and their parameters, but no matter where I looked, I could not find a single example for an actual **use case** of the Hybrid Flow. Lots of explanations about how it works, but no mention of the "why".

When would I want to use the Hybrid Flow over the Authorization Code Flow? Or is this an instance of "you'll know it when you'll see it"?

#oidc #oauth2 #DigitalIdentity

Логин через Telegram по-новому: разбираем OIDC-флоу oauth.telegram.org и собираем его на Python

Telegram теперь полноценный OpenID-провайдер: oauth.telegram.org, JWKS, JWT, claims. Туториалы на GitHub при этом массово показывают старый виджет с HMAC от bot-token и /setdomain в BotFather. Я разобрался с новым флоу и собрал PoC на Python — рассказываю, как устроен обмен между фронтом, Telegram и бэком, чем Login library через telegram-login.js отличается от manual OIDC code flow с PKCE, что настраивать в BotFather (спойлер: не в чате, а в его mini-app), как протестировать локально через ngrok, и какая проверка id_token нужна вместо ручного HMAC.

https://habr.com/ru/articles/1033632/

#telegram #telegram_login #openid_connect #oidc #oauth2 #jwt #jwks #pyjwt #python #authentication

Per-user OAuth для MCP-серверов: Keycloak, n8n и Telegram-бот через один Auth Proxy

MCP-серверы не умеют в авторизацию, n8n не умеет в per-user токены, а OAuth-клиенты говорят на разных диалектах. Рассказываем, как один Auth Proxy перед FastMCP Gateway закрыл все три проблемы — и почему в итоге бот переехал на LangGraph Архитектура, грабли и код

https://habr.com/ru/articles/1030302/

#MCP #OAuth2 #Keycloak #FastMCP #LangGraph #n8n #Telegramбот #peruser_авторизация #AIагент #Auth_Proxy

@tatsh Woo! mutt-oauth2 just made my day!

Previously a gent from MIT IS&T put in HEROIC amounts of effort to pull together the prior jank-fest of oauth2 scripts and mutt configurations...

But with your nice new package I can 'uv tool install', add the bits you specified to my muttrc and BOOM! I'm reading my MIT E-mail in a sane interface that doesn't make my remaining damaged eye want to shrivel up and retire :)

Thank you!

(Also just sent a Buy Me a Coffee :)

#mutt #oauth2 #office365

#DPoP closes a real gap in #OAuth2, but there’s a catch….

Sender-constrained tokens are a meaningful upgrade over bearer tokens, but they don't fully solve the challenge of browser key storage.

Check out the #InfoQ article by Dhruv Agnihotri for a deep dive: https://bit.ly/4w62YGA

#WebDevelopment #Security #Cryptography #CyberSecurity