June '21 - Client auth vs. PKCE
Client authentication vs. PKCE
This month’s article covers a question I’ve received a few times: “Does OAuth’s Proof-Key for Code Exchange (PKCE) replace client secrets”. The short answer is no, but this article digs into it a bit further than that.
Client Authentication vs. PKCE: Do you need both?
Since we last spoke
There have been some new articles since my last email focusing on password UX and password hash migration.
Authenticated Encryption in .NET with AES-GCM
Learn how to use AES-GCM encryption in .NET for authenticated encryption, giving you the usual confidentiality and an additional integrity check.
Beware of Password Shucking
Learn how password shucking attacks rehashed or pre-hashed passwords by stripping your password hashes of their strong outer password hashing algorithm.
Integrating ASP.NET Identity Password Policies with Password Managers
Learn how to automatically set HTML passwordrules based on your ASP.NET Identity password options, using the newpassword tag helper from ScottBrady.IdentityModel.
Perfecting the password field with the HTML passwordrules attribute
Learn how to integrate sign-up forms with password generators by using the autocomplete and passwordrules HTML attributes.
In other news
I am now a father! My son was born in April, and after 9 weeks, I’ve finally found some time to get my improved newsletter back on track.
If you have any article ideas, let me know. I’m always on the lookout for new topics!