75,593 questions
Best practices
0
votes
0
replies
40
views
Third party JWT or self-derived JWT
I'm using a third party identity provider for authentication towards my own services.
After an user finishes authentication, my IdP returns an JWT access token. The question is: What is the better ...
- 11
0
votes
1
answer
63
views
Authorize filter attribute is returning signing key error, whereas it is 100% correct
I'm configuring authorization in my ASP.NET Core 8 project, and I get this error while testing JWT token auth via Swagger:
content-length: 0 date: Sun,12 Apr 2026 01:37:08 GMT server: Kestrel www-...
-1
votes
1
answer
34
views
How to show a page only on first user registration in Next.js (Auth.js + Neon DB)? [closed]
What is the best way to detect first-time login after registration and show a page only once?
GitHub project:
https://github.com/MarkpentX/lawyer-firm-app.git
- 1
Advice
1
vote
1
replies
42
views
Jwt Authentication using access token and refresh token problem
My question is if we are using JWT auth for authentication, then where should i put my access token for calling APIs quickly so that my application feels fast as compare to other and also there is one ...
- 1
Advice
0
votes
2
replies
67
views
How to rate limit unauthenticated users?
In the context of client side session management when user authenticates herself, she gets a token that is specific to her. When we get that token at the server side we are sure that token relates to ...
- 103
1
vote
1
answer
46
views
Why are authentication cookies not flowing from Blazor web assembly to SignalR?
I'm building a matchmaking service for a browser gaming platform using Blazor web assembly, Microsoft Entra external id and SignalR. To connect clients to the matchmaking service, I have created an ...
-1
votes
0
answers
62
views
AKA-V1 & IPSec Support in android application
For Mobile telephony based application, we are trying to authenticate via AKA-V1 using SIM information, we do have our own control over GSI Android which enable us to provide permission required for ...
- 29
0
votes
0
answers
56
views
Next.js session object on client doesn't include custom role property
I'm trying to protect the client side in my Next.js app using a custom session with better-auth, but the role property not appear inside the session object , but when I display session.user.role` it ...
- 1
Tooling
0
votes
5
replies
50
views
Google Oauth in react native
How can I use Google OAuth in an Expo Go app, and how does it work once the app is published on the Play Store?
Currently, in Expo Go, the app is treated like a web application, so it uses a Web ...
6
votes
0
answers
68
views
How to authenticate with GridDB Cloud REST API using API key vs Basic Auth?
I'm trying to query data from GridDB Cloud using its REST/WebAPI endpoint. The official docs mention both Basic Authentication and API key-based access, but I'm unclear on the exact header format and ...
- 19
0
votes
0
answers
42
views
Cookie is not created in Blazor Server App
I'm working on a Blazor Server App which has to authenticate via LDAP (it works), and set a cookie so that the user must authenticate only e.g. once a week.
I have created a minimalAPI in the program....
- 21
Advice
0
votes
4
replies
102
views
Architecture for handling OAuth token refresh across multiple services in agent-based systems
I’m currently working on a system where agents interact with multiple external services such as Google APIs, Slack, and GitHub.
All of these services use OAuth, which means access tokens expire ...
Best practices
0
votes
6
replies
107
views
Which authentication approaches are suited with .NET MAUI Blazor Hybrid and Web App without SSR?
.NET MAUI Blazor Hybrid and Web App is the project template of the cross-platform applications available in Visual Studio:
Actually, it is the set of 4 projects (details):
It has been documented how ...
Best practices
2
votes
2
replies
125
views
What's the best approach for implementing user context in Express.js?
I'm building a Node.js/Express API and need to implement a user context system that allows me to access the authenticated user from anywhere in my application (services, utilities, etc.).
The Problem:
...
- 1
0
votes
0
answers
50
views
How can I reduce the response URL size from Microsoft sign in via the Authentication.MicrosoftAccount library?
We use Duende Identity Server (7.4.4) to enable sign in on our site. We offer a general Microsoft Single Sign On button through the Microsoft.AspNetCore.Authentication.MicrosoftAccount Nuget package. ...
- 43
Advice
3
votes
1
replies
113
views
AIoT device: Radius Authentication using PHP with Message-Authenticator attribute
We have some AIoT devices and want to authenticate with RADIUS using PHP.
The new RADIUS Server ask for the Message-Authenticator attribute and the build-in RADIUS functions of PHP can not do it.
<?...
Best practices
2
votes
1
replies
107
views
DDD approach for user authentication and registration
I’m using a DDD approach in my application. I want to learn best practices for writing DDD code the way Big Tech companies and experienced developers do it.
So, I have a User entity with the following ...
Advice
1
vote
0
replies
49
views
How to implement role-based access control in a multi-tenant SaaS application?
I’m working on a multi-tenant SaaS application where different organizations can create and manage business plans and financial forecasts. Each organization has multiple users with different roles (e....
Advice
0
votes
0
replies
53
views
Framework-agnostic strategies for silently flagging fake accounts (Sybil attacks)
I am designing the core logic for a user registration flow, and my main concern is mitigating Sybil attacks (mass creation of fake accounts).
My goal is NOT to block these users during registration.
...
Tooling
0
votes
2
replies
126
views
Best approach for server-side license key verification with HWID binding in C#
I'm building a commercial desktop application in C# and I need to implement license verification that prevents key sharing between users.
What I'm trying to achieve:
Bind each license key to a ...
Best practices
0
votes
1
replies
29
views
How add Auth SDK to Nextjs?
Can someone write this for nextjs?
import { createRoot } from 'react-dom/client'
import App from './App.tsx'
import authgear from "@authgear/web"
async function init() {
try {
// configure ...
- 1
0
votes
0
answers
57
views
Blazor Server client side authentication with gRPC
We are building an application where there are several components that must all work together that are not all entirely in my control.
First, a frontend written in Blazor Server that does some ...
Best practices
0
votes
2
replies
82
views
Best way to handle OAuth + JWT emitted by backend?
I'm building an application which integrates a 3rd party SSO (IVAO) to authenticate users. My stack is React frontend and NestJS backend. This is the user flow:
User signs in with IVAO SSO
The user ...
1
vote
0
answers
61
views
NextJS refresh token cookie not syncing with browser
I've been having this hiccup for quite a while. I'm using NextJS 16 to build a fullstack application with separate NestJS backend. The problem is when I perform a refresh logic, the httpOnly cookies ...
- 11
Best practices
1
vote
3
replies
141
views
How to properly manage authentication with Axios and React Context in a TypeScript app?
I’m building a React + TypeScript app and using Axios for API requests. I have an AuthProvider using React Context to manage the user and token, and I’m running into a few questions and issues:
Do I ...
- 1
Best practices
1
vote
2
replies
73
views
Microservices architecture: Should identity validation be centralized in a dedicated service or handled locally by each service?
I’m designing a microservices-based platform with the following characteristics:
Multi-tenant
Identity-based access model (not traditional role-only RBAC)
Services communicate over HTTP
A gateway/...
0
votes
1
answer
44
views
SAP Cloud SDK / Failed to read authentication token of destination xxx
In the latest version of our product, we adopted cloud-sdk-java (5.24.0) as the underlying implementation for sending data, whereas this functionality was custom-developed by our team previously. ...
- 11
Best practices
0
votes
1
replies
78
views
Chainlit triggers header_auth_callback before OAuth and shows error UI when header auth fails
I am implementing a Chainlit application that needs to support two authentication methods depending on how users access the app.
Use Cases
Microsoft Teams Tab App
Users are automatically ...
- 1
0
votes
0
answers
96
views
Login/Password protection with Quartz 4 (Obsidian Digital Garden)
I'm trying to figure out the simplest way to provide authentication/password protection for a Quartz deployment.
I'd like the solution to be something that minimizes both complexity and cost, even a ...
Best practices
0
votes
2
replies
64
views
Rendering based on Authentication and Authorisation
Whats the best approach for rendering HTML on the client after passing authorisation and authentication? Below is my current code but I'm a bit stuck on where to go next, as I don't want to implement ...
- 61
0
votes
0
answers
26
views
Which Attu configuration causes a 401 Unauthorized error when connecting to Milvus on Zilliz Cloud?
I am encountering an authentication issue when using Attu to connect to a Milvus instance hosted on Zilliz Cloud, while connecting to the same instance via SDK code works correctly.
My setup is as ...
Best practices
0
votes
2
replies
62
views
How should an app gracefully handle passkey deletion?
I’m using passkeys with ASAuthorizationController (ASAuthorizationPlatformPublicKeyCredentialProvider). Registration and authentication work correctly on iOS 16+.
However, if the user explicitly ...
- 1,346
2
votes
0
answers
72
views
Wildfly 39 JSF Login authentication
I'm trying to configure a form-based authentication for my JSF app in Wildfly 39, and I've come across these sources:
https://rieckpil.de/howto-simple-form-based-authentication-for-jsf-2-3-with-java-...
- 116
1
vote
0
answers
79
views
Blazor wasm Authentication with Roles
I'm looking into implementing authentication in a client side Blazor application with wasm.
Microsoft has a sample for exactly that scenario, but - not very confidence inspiring - it seems broken: ...
- 30.5k
0
votes
0
answers
36
views
StaticWebapp not setting value on wellKnownOpenIdConfigurationSettingName from azure env values
I have this configuration:
{
"mimeTypes": {
".js": "application/javascript",
".mjs": "application/javascript",
".cjs": "...
- 3,482
1
vote
1
answer
85
views
How does Passkeys behave across iOS 15 → iOS 16 when using ASAuthorizationController?
I’m integrating authentication using Apple’s authorization APIs and supporting multiple iOS versions:
• ASAuthorizationController (iOS 13+)
• ASAuthorizationPlatformPublicKeyCredentialProvider (...
- 1,346
Best practices
0
votes
3
replies
38
views
Angular + .NET (Azure AD BFF): Handling 401 due to token expiry without losing unsaved form data (auto-save to DB only)
I’m working on an Angular frontend with a .NET BFF backend secured using Azure AD authentication (cookie-based, no tokens stored in local/session storage).
Current setup:
Frontend: Angular
Backend: ....
- 11
Best practices
2
votes
4
replies
71
views
How do I differentiate each device so that each one has its own unique refresh token linked to the same account?
I am designing a mobile application with a user login system.
I am going to implement refresh tokens in order to allow for users to only have to log in once every 30 days.
How do I differentiate each ...
- 91
0
votes
1
answer
101
views
GitHub Actions checkout fails with "Not Found" error for SSO-protected enterprise repository despite valid PAT
Problem
I'm trying to checkout a private GitHub Enterprise repository in a GitHub Actions workflow, but it consistently fails with a "Not Found" error even though I have a valid Personal ...
- 1
Advice
1
vote
1
replies
64
views
Why Authentication and User Management tools are not made for PHP/Symfony?
I try to configure my Symfony project with a User Management to separate my user management from my app database.
I found some tools, as Clerk, Supabase, Authentik and I have try each tool, but ...
- 33
1
vote
0
answers
71
views
ASAuthorizationControllerDelegate always returns .canceled for Face ID passcode fallback and failed attempts
I’m implementing Sign in with Apple / Passkeys using ASAuthorizationControllerDelegate and handling errors via:
func authorizationController(
controller: ASAuthorizationController,
...
- 1,346
Best practices
0
votes
9
replies
62
views
What security measures to implement when using React JS and Python Backend with Rest API
I am building a React + python(Fast API) application where these 2 applications are connected via Rest API. My question is if anyone who knows the ENDPOINT , and params that needs to be sent, Anyone ...
Advice
0
votes
1
replies
97
views
How to handle authorization in a microservices environment using session-based authentication?
I lack experience with system design, and I’m struggling to understand how all the pieces fit together. I’d appreciate some help seeing the “big picture.”
I’m building a web application with a ...
-4
votes
1
answer
216
views
Authenticate into Apache via PHP (htaccess login done by PHP) [closed]
I want to allow directory index (list directory in browser) but only for users logged in via php. Users not logged in should not have any access.
Is it possible to log in to apache (AuthType Basic, ...
- 271
Best practices
1
vote
1
replies
50
views
Fetching user data (Next.js + Supabase)
I am building a website with Next.js and Supabase (beginner here). I created a page.tsx with a layout.tsx in a dashboard folder in my app router. Currently I am doing a check in layout.tsx to verify ...
- 1
0
votes
0
answers
122
views
Zoho ASAP JWT authentication enabled but widget still behaves as guest user and asks for email/name
I am integrating Zoho Desk ASAP widget with JWT-based authentication in my web application.
I have completed the initial setup, but even after login, the widget still behaves like a guest user instead ...
- 141
Advice
1
vote
0
replies
35
views
How to work sqladmin token and secret_key management?
I set up sqladmin to fastapi project. I used aminalaee docs for set up. That works. But I do not understand some components as <token> and <secret_key>. Can somebody clarify those ...
- 67
1
vote
1
answer
45
views
Email Claim is always missing in the startup.auth.cs but it present in the Token
I am using a .NET 4.8 application with Angular v22. When I try to login via a controller method, it always throws an exception that the email claim is missing. But it is present in the JWT token.
Here ...
- 40
0
votes
1
answer
104
views
Azure AD login returning unauthorize (401) inspite of having up-to-date configs
I am trying to integrate Azure AD login in my .NET 4.8 application with an Angular frontend.
But when I try to authenticate, it's returning an http 401 "Unauthorized" error.
In the ...
- 40
Best practices
2
votes
0
replies
33
views
What are the security and feature checkpoints for considering an authentication system “complete” in a web application?
I’m building a web application and started with authentication, but I keep feeling it’s incomplete. In a professional production environment, what are the essential steps or criteria to ensure the ...
- 1