#Oauth

Markus Eisele

@myfear.com

1 day ago

Bearer tokens can be replayed.

Quarkus 3.32 introduces DPoPNonceProvider so you can enforce single-use nonces and stop replay attacks in your Java APIs.

I built the full challenge-response flow with Keycloak + Dev Services.

Here’s the guide:
buff.ly/mZX26pw

#Quarkus #Java #Security #OAuth

Martin Besozzi

@embesozzi.bsky.social

1 day ago

Securing AI Coding Agents with Real-Time Just-In-Time Authorization: Claude Code and GitHub Copilot CLI | Martin Besozzi But one key question is still largely unanswered: > Who approves critical actions when an AI agent decides to execute them? At TwoGenIdentity, we built a working implementation of Just-In-Time (#JIT)...

Now you can implement Just-In-Time #Authorization in #Claude #Code with Human-in-the-Loop (#HITL) #MCP #Elicitation
Demoing our implementation based #open #standards, where #OAuth native authz occurs real time, producing a cryptographic proof bound to that operation
www.linkedin.com/posts/embeso...

The Daily Tech Feed

@thedailytechfeed.com

2 days ago

Cyber attackers are exploiting OAuth's Device Code Flow to hijack Microsoft 365 accounts without stealing passwords. Stay vigilant and implement robust security measures. #CyberSecurity #Phishing #OAuth Link: thedailytechfeed.com/phishing-att...

John Gordon 📷

@bluedonkey.mastodon.social.ap.brid.gy

4 days ago

Error message from Claude Code when I didn't manage to copy the OAuth URL to another machine, paste it into my browser, get the response from their (very slow) server, copy that back to the first machine and paste it back into the session in under 15 seconds. Login OAuth error: timeout of 1500@ms exceeded

I hate it when people thing OAuth is the only way to do things. Fine, it you are a web app running in a browser and using a third party service where your users don't want to let you see their credentials.

But, for a first party CLI app, perhaps making me […]

[Original post on mastodon.social]

AlphaHunt Converge

@alphahunt.io

4 days ago

Spring forward—your “AI coworker” will happily approve-to-exfil. Watch NEW OAuth trust events + device-code logins; endpoint IOCs are for nostalgic people. 🔥🕵️

#AlphaHunt #CyberSecurity #AI #OAuth

Erik C. Thauvin

@erik.thauvin.net

6 days ago

foojay – a place for friends of OpenJDK foojay is the place for all OpenJDK Update Release Information. Learn More.

DPoP: What It Is, How It Works, and Why Bearer Tokens Aren’t Enough

#bearer #cryptography #dpop #java #oauth #security #token

foojay.io/today/dpop-wh...

Martin Besozzi

@embesozzi.bsky.social

6 days ago

Working implementation 🚀 of Just-In-Time (#JIT) #Authorization for #AI #Agents
Our pattern, MCP-Native Authorization (MCP-NA), combines #OAuth 2.0 first-party interactive flows with #MCP #elicitation metadata to enable AI agents to orchestrate Human-In-The-Loop (#HITL) steps
Copilot MCP App demo👇

Foojay, the Friends Of OpenJDK

@foojay.io

6 days ago

foojay – a place for friends of OpenJDK foojay is the place for all OpenJDK Update Release Information. Learn More.

Bearer tokens have a security problem - they can be stolen and replayed. DPoP offers a better approach by binding tokens to cryptographic keys. Hüseyin Akdoğan explains how it works and why you should care.

foojay.io/today/dpop-w...

#security #oauth #java

Damien Bowden

@damienbod.com

6 days ago

Invite Guest users in a Entra ID Multi-tenant setup This post looks at implementing a guest user invite in a cross tenant setup. This is useful when creating partner tenants using an Entra ID MAU license for all partner guests and members. This make…

Blogged: Invite Guest users in a Entra ID Multi-tenant setup

damienbod.com/2026/03/09/i...

#graph #entra #mau #identity #iam #entraid #oauth #openidconnect #oidc #security

Dmitry Isaenko

@dmitry-isaenko.bsky.social

6 days ago

LaraFoundry supports 3 OAuth providers out of the box:
Google, Facebook, Twitter.

One controller. One callback. Remember me works across all of them.

No Auth0. No Firebase. Pure Laravel Socialite.

#LaraFoundry #Laravel #OAuth #SaaS

Telegram

@telegram.activitypub.awakari.com.ap.brid.gy

1 week ago

Telegram-бот вместо Excel-рутины: как я автоматизировал рутину с помощью Python Как я заменил Excel-сводные на Telegram-бота ...

#python #telegrambot #google #sheets #api #oauth #yandex #disk #pandas #etl #devops

Origin | Interest | Match

Jerrad Dahlager

@nineliveszerotrust.com

1 week ago

Detecting OAuth Redirect Abuse with Microsoft Sentinel and Entra ID Microsoft warned about OAuth redirect abuse enabling phishing and malware delivery. Build Sentinel analytics rules, hunting queries, a security workbook, and Entra ID hardening policies to detect and ...

OAuth redirect abuse in Entra ID is worth watching.

New post with 4 Sentinel detections, hunting queries, and hardening steps:

nineliveszerotrust.com/blog/oauth-r...

#EntraID #OAuth #MicrosoftSentinel

AlphaHunt Converge

@alphahunt.io

1 week ago

DEEP RESEARCH: Who’s Most Likely to Abuse MCP Integrations? #UNC3944, #TraderTraitor, #UNC6293 ?

MCP-era risk isn’t exploits—it’s authorized tool/integration abuse (OAuth consent, device codes, app passwords). We ranked who’s best positioned..

#AlphaHunt #OAuth #MCP

Ahmandonk

@ahmandonk.bsky.social

1 week ago

📰 Microsoft: Peretas Manfaatkan Alur Error OAuth untuk Sebarkan Malware

👉 Baca artikel lengkap di sini: ahmandonk.com/2026/03/05/penyalahgunaa...

#keamananSiber #malware #microsoft #oauth #phishing

AlphaHunt Converge

@alphahunt.io

1 week ago

If your “AI Coworker” Gets Targeted, What Tips You Off First? Your “AI coworker” isn’t the breach. The OAuth trust event is. 🔥🕵️‍♂️ Device-code phishing + consent traps = “approve to exfil.” (And yes, AI agents are already being used as the wrapper.)

Your “AI coworker” didn’t hack you—someone got it to hit “Approve” 🙃 New OAuth trust events + device-code logins = silent SaaS loot. 🔥

Read the telltales + subscribe: blog.alphahunt.io/if-your-ai-c...

#AlphaHunt #CyberSecurity #OAuth #AI

The New Oil

@thenewoil.org

1 week ago

Microsoft: Hackers abuse OAuth error flows to spread malware Hackers are abusing the legitimate OAuth redirection mechanism to bypass phishing protections in email and browsers to take users to malicious pages.

#Microsoft: Hackers abuse #OAuth error flows to spread #malware

www.bleepingcomputer.com/news/security/microsoft-...

#cybersecurity

AlphaHunt Converge

@alphahunt.io

1 week ago

SIGNALS WEEKLY:

Cisco Catalyst SD-WAN Exploitation + OAuth Redirect Abuse + Prompt Injection Observed in the Wild

blog.alphahunt.io/signals-week...

#AlphaHunt #SDWAN #OAuth #AISecurity #ThreatIntel

The Daily Tech Feed

@thedailytechfeed.com

1 week ago

Microsoft warns of a new phishing attack exploiting OAuth in Entra ID to evade detection. Stay vigilant and implement recommended security measures. #CyberSecurity #Phishing #OAuth #EntraID Link: thedailytechfeed.com/microsoft-di...

The Daily Tech Feed

@thedailytechfeed.com

1 week ago

Microsoft warns of sophisticated phishing campaigns exploiting OAuth redirection to target government entities. Stay vigilant and review app permissions. #CyberSecurity #Phishing #OAuth Link: thedailytechfeed.com/microsoft-wa...

LLMs

@llms.activitypub.awakari.com.ap.brid.gy

1 week ago

Агентность на практике: Codex CLI и российский AI-ландшафт После знакомства с Codex CLI от OpenAI я решил провести практ...

#LLM #агентные #системы #Codex #CLI #Responses #API #OAuth #tool #API #reasoning

Origin | Interest | Match

CSM - Cybersécurité-Management

@csm-cybersecurite.bsky.social

1 week ago

OAuth : comment un mécanisme légitime peut devenir un outil de phishing | CSM - Cybersécurité Management Les attaques exploitant les redirections OAuth montrent une évolution du phishing : détourner les mécanismes légitimes d’authentification pour contourner les protections et compromettre les identités.

OAuth détourné pour contourner filtres anti-phishing et #MFA : les attaques visent désormais les mécanismes d’authentification eux-mêmes.. #Cybersécurité #OAuth

Bill

@sempf.infosec.exchange.ap.brid.gy

1 week ago

Microsoft Warns OAuth Redirect Abuse Delivers Malware to Government Targets Microsoft details OAuth redirect abuse used to deliver ZIP malware and EvilProxy links to government targets.

This research by Microsoft is:

1) timely and actionable vulnerability analysis
2) the most Microsoft vulnerability chain I've ever seen, I swear to holy hell.

thehackernews.com/2026/03/microsoft-warns-...

#microsoft #oauth

AWS Builders Center on 🦋

@communityaws.bsky.social

1 week ago

Building Secure Token-Based Authentication with AWS and OmniToken As developers, we often face a common challenge: how to build a secure, scalable authentication system without reinventing the wheel. Token-based authentication has become the backbone of modern APIs and microservices, but implementing it correctly takes careful design.

"Building Secure Token-Based Authentication with AWS and OmniToken" by Kalyana Krishna Kondapalli

#ai #authentication #authorization #oauth #aws-api

Duende Software

@duendesoftware.com

1 week ago

Rate Limiting IdentityServer Endpoints Learn why rate limiting Duende IdentityServer endpoints is usually unnecessary, and when you do need it. Explore a layered approach using network proxies, ASP.NET Core middleware, and custom…

Should you add rate limiting to your Duende IdentityServer deployment? 🤔

Our new article breaks down the why (and why not), plus 3 implementation options.

Read the full article 👉 duende.link/87wrkjh

#dotnet #ASPNETCore #OAuth #OpenIDConnect

Red Hot Cyber

@redhotcyber.bsky.social

1 week ago

Il link sembrava serio. OAuth ha detto: “Ops, errore!” e ti ha spedito dal truffatore

📌 Link all'articolo : www.redhotcyber.com/post/qua...

#redhotcyber #news #cybersecurity #hacking #malware #phishing #oauth #microsoft #google #sicurezzainformatica

Help Net Security

@helpnetsecurity.com

1 week ago

Threat actors weaponize OAuth redirection logic to deliver malware - Help Net Security An ongoing phishing campaign is abusing the OAuth authentication redirection mechanism to avoid triggering conventional defenses.

Threat actors weaponize OAuth redirection logic to deliver malware

📖 Read more:
www.helpnetsecurity.com/2026/03/03/a...

#CyberSecurity #CyberSecurityNews #OAuth

TechNadu

@technadu.com

1 week ago

Microsoft warns of OAuth redirect abuse hitting government networks.

Attackers hijack redirect URIs, use EvilProxy AiTM phishing, steal session tokens & bypass MFA.

Identity governance is critical.

Have you audited your OAuth apps lately?
#CyberSecurity #OAuth #ZeroTrust

Dmitry Isaenko

@dmitry-isaenko.bsky.social

1 week ago

In LaraFoundry, a single OAuth callback does 5 things:

1. Create/update user
2. Auto-verify email
3. Pull Gravatar or generate avatar
4. Record session + device info
5. Auto-accept team invitations

All via Laravel Socialite. Zero manual wiring.

#Laravel #OAuth #PHP

@dcstumpy.com

2 weeks ago

Ever wonder what’s actually happening when you log into a site with your Gmail, Facebook, Apple, or Microsoft account?

It’s called OAuth. Here’s how it works — and whether it’s safe.

#Android #Apple #Bluesky #Community #Cyber #Facebook #Google #Internet #iPhone #Microsoft #OAuth #Samsung #Security

AlphaHunt Converge

@alphahunt.io

2 weeks ago

If your “AI Coworker” Gets Targeted, What Tips You Off First? Your “AI coworker” isn’t the breach. The OAuth trust event is. 🔥🕵️‍♂️ Device-code phishing + consent traps = “approve to exfil.” (And yes, AI agents are already being used as the wrapper.)

Your “AI coworker” won’t pop calc.exe. It’ll sweet-talk you into an OAuth consent grant, then quietly API-drain SaaS. First clue? New trust event. 🤖☠️

Get the tripwires (device-code + token telemetry) + subscribe: blog.alphahunt.io/if-your-ai-c...

#AlphaHunt #CyberSecurity #AI #OAuth