Developer Blog & Articles

Impersonating users by abusing broken “Sign in with” implementations

Applications that implement a "Sign in with ..." flow must not use a mutable identifier to match external users to the internal user management system. Several web applications implementing "Sign in with GitHub" have been found to be vulnerable to this.

Continue reading >

Approaching Access Control on the Web: HTTP Authentication

This is the first blog post of a multi-part series about control on the web. The goal of this series is to be the go-to guide for anyone that needs help with setting up access control (authentication & authorization) for their web application.

Continue reading >

Zero Trust API Access Control on Kubernetes

Control access to your APIs with cloud native ORY Oathkeeper and the Ambassador Reverse Proxy on Kubernetes.

Continue reading >

Mobile and native app authorization with OAuth 2.0

Read this guide to learn how to implement authentication and authorization for mobile, browser, and native apps with better user experience and buffed security.

Continue reading >

Run your own OAuth 2.0 Server

In this guide, you will set up a hardened, fully functional OAuth 2.0 (OAuth2) server. It will take you about ~15 minutes. We will use ORY Hydra (open source), a security-first OAuth2 and OpenID Connect server written in Golang.

Continue reading >

Accurate code coverage in Go

This article introduces you to the problem of reporting accurate code coverage using the Go programming language, and offers a solution that runs on any Operating System.

Continue reading >