You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We didn't use Identity Server or other similar solution, simply, because we wanted to show the end users how the JWT works under the hood and that it could be easily implemented.
Our code uses well-tested system libraries, so, there's no real threat or bugs AFAIK. The password is being hashed using one way PBKDF2 etc. - so basically, it's almost impossible to do a brute force if your password is strong enough. Our code doesn't save a password in any logs.
IdentityServer is a great solution, and it might be a part of the next release of ASP.NET Core, but, we didn't want the programmers who explore the code, to get familiar with another quite sophisticated library.
At some point in the future, there's a chance, that we will create a new service using one of the solutions that you suggested.
I'm happy to hear that my answer was clear enough :).
Most of the utilities that we use are our wrappers on top of existing libraries - to keep the overall solution simple and cloud agnostic.
Why not use IdentityServer or OpenIdDict? Which are most complete and tested frameworks
You use ROPC
I recently read that ROPC may have several security holes, this link addresses some of them:
https://tools.ietf.org/html/rfc6749#section-10.7
brute force, save password in client log, others ...
What is your opinion about this?
The text was updated successfully, but these errors were encountered: