It's as safe as all the routable destinations Say, you have two backends: Prod and Dev; and the token contains a property env: prod or env: dev respectively. You first read the token payload, then route accordingly, and the backend then validates it. In this scenario, if Prod validates correctly, but Dev doesn't validate at all, then the attacker can gain access to the dev environment. However, if both environments were to validate the token correctly, there is no issue. The important takeaway is that you have to be fully aware, that any information you read before validating the token is potentially bogus. Do not make any security-relevant decision based on the content of the JWT before validating it.

Yes, Braintree calls it the "client token" because it needs to be sent to the client and used by the client SDK, so it can easily be picked up by users, e.g. from web browser developer tools. This is in contrast to your API credentials, which include your private key for example, and should be kept on the server, not on the client. I assume therefore that Braintree will have a secure design such that the client token can only be used for limited purposes, such as rendering a payment form, and only in conjunction with API calls you make from your server.

We could add a heder to the method. @GET() @Headers("@:auth") Call<String> login(String login, String pass); After that, interceptor Interceptor headerInterceptor = chain -> { Request original = chain.request(); Request.Builder builder = original.newBuilder(); List&lt;String&gt; annotations = original.headers().values("@"); if (annotations.contains("auth")) { //Добавить хэдеры нужные } //Удалить ненужный builder.removeHeader("@"); return chain.proceed(builder.build()); };

In the second paragraph, you must not have it. code to return, https://new.vk.com/dev/implicit_flow_user?f=3.%20Receiving%20access_token Parameter access_token♪ Look at the example. https://new.vk.com/dev/implicit_flow_user?f=1.%20Opening%20Authorization%20Dialog and try to use the following request to authorise the laser:https://oauth.vk.com/authorize?client_id={ИД приложения}&display=page&redirect_uri=https://oauth.vk.com/blank.html&scope=friends&response_type=token&v=5.37 UPD: if it's a website, you need to use a little. https://new.vk.com/dev/authcode_flow_user type of authorization. Everything is divided into two stages. First It's the same parameter. redirect_uri instead https://oauth.vk.com/blank.html I need to set up the address of your website where the redirector will be made. In the man about redirect_uri It is said:the address must be representative of the main house in question. Annex settings and listed values on the list of certified redirect uri - addresses equal to path-partAt the end of this phase, you ( your website) https://new.vk.com/dev/authcode_flow_user?f=3.%20%D0%9F%D0%BE%D0%BB%D1%83%D1%87%D0%B5%D0%BD%D0%B8%D0%B5%20code It's a parameter. codeAah! Second You need to go. https://new.vk.com/dev/authcode_flow_user?f=4.%20%D0%9F%D0%BE%D0%BB%D1%83%D1%87%D0%B5%D0%BD%D0%B8%D0%B5%20access_token access_tokenusing the first phase code♪ The manuale indicates that there are time limits for this phase:The code parameter may be used within 1 hour for receipt The access key to API access_token from your server.https://oauth.vk.com/access_token?client_id={ИД приложения}&client_secret={Секретный ключ}&redirect_uri={тот же адрес, что и на первом этапе}&code={полученный на первом этапе code} I'll also point out what's used. redirect_uri should coincide with what was used in the first phase:URL used in obtaining the code in the first phase Authorization. There must be analogous to the transfer at the authorization.And these two stages are just the authorisation of the user, that is, only the second point of your question. Time of life access_token may be final, it will have to be updated in a while (seemally, only phase two).

in callback from vk@Override public void onResult(VKAccessToken res) { // это будет твой токен res.accessToken; }

It's not complicated.(1) Each application has guid.(2) You copy in your annex (e-mail+password for example) and record in the copying database for this annex (guid), generating an arbitrary token (any key, more often stringular), e.g. md5 from email+time().(3) Turning to the closed parts of your api, you transmit guid+token, and your annex checks if the token for this guid exists (and is not closed, so you can give him life, or close it at logout of the user from the application), then give the answer, and if it's closed, send the copy.It's a very common mechanism, just to explain the pattern of work. In fact, someone makes it harder, someone changes something, someone leaves it. For example, instead of writing your own copying, it is possible to reboot oauth. Although writing does not present particular difficulties; )

In the first place, you don't have a-a-a-ha-ha-ha-ha-ha-ha-ha-ha-ha-ha-ha-ha.Secondly, you're wise with a bunch. Try throwing them away with CURLOPT_COOKIESESSION true.Thirdly, check your client's construction client_id=2890984, maybe it doesn't exist at all.

Just recently, I've seen it. To get the token, you need to write your app_id to VKSdk. There are still problems with maintaining access_token on the device.I will. The response was erroneous and followed from the wrong connection of the library.

https://ru.wikipedia.org/wiki/OpenID / https://ru.wikipedia.org/wiki/OAuth ?That is, the idea of identifying the user through an outside resource, such as a social network.

Privacy https://vk.com/dev/oauth_dialog Standalone The annexes in the Contact Act are redirected to the address "oauth.vk.com/blank.html" and the token is contained in the address line. Get him out of there software. only on the web component you have control, in the annex. http://electron.atom.io/ ♪ Standard tools are not possible because of the browser security policy, the document is in the vk house, and any of your violators have no access to it.If you still want to try the full software and authorise the application, you can try and use it. curl and correctly process HTML. Reducing the number of violators can help the parameter &display=mobile In the original copying reference.

Usually, that's how it works.Choose where we keep the token. Anything, it's safe, that's code.When you start apps, see if there's a token. If there is, use it.If not, we send the user to get it.If any of the requests for a server receives 401, remove the token and send the user back (Login)If the user makes Logout, remove the token and finish the annex.That's what I said.

The solution, when the encryption pass is generated in the summer on the basis of a unique identifier of the device + salt + PIN user, is considered to be sufficiently reliable even for bank mobile applications. The RFID/NFC user &apos; s user &apos; s tag, QR-code, etc. can be used instead of the user &apos; s PIN. But there is a question about the level of user training. By deleting the user, you exclude an important link in the accidental password generation, which is quite difficult to replace by a technical solution.

The thing is, when the tokens are glued, it's not open. In order to reveal them, you need to use the extra intermediate macroes:#define Choose A #define Const Argument #define ArgumentA 0x31 #define ArgumentB 0x32 #define PASTE_EXPANDED(x, y) PASTE(x, y) #define PASTE(x, y) x ## y #define FinalArgument (PASTE_EXPANDED(Const, Choose)) Verification: http://ideone.com/5xYGmx

In principle, it's right, though confused, to describe a little bit. It's easier.Other matters:No, not like that. Difference of rights.For authorization, it's not usually a big one than "poss to get a user name." In the authentication dialogue, the user sees all the rights that he requires, and if he does not, he may refuse. Well, at the API level, there are usually no critical actions. Let's say the password or e-mail of the user on access totoken is virtually nowhere to be changed.Yes, very desirable. Well, most of the services don't even let us work through an uncoded connection.However, in the case of explict-authorization, except between the service and your server, access-texane is not being transferred anywhere. So if you use an uncoded connection, only your host can intercept the token or your host. Which, however, could potentially be unpleasant.It's common to do differently, by requesting new access, using static refresher and old access token. The user doesn't see anything, but access to the currents are constantly being replaced by new ones. Someone's doing this once a day, and someone's got a couple hours. Compromised toxins are naturally invalid.If a request is received with an incorrect combination of refresh-tocken and access-tocken, the service shall automatically render both currents invalid, and accordingly the user will see the annex authentication window again.But it's if the service even gives you refreshments. Regrettably, they're opportune, and they don't give them out in Connecticut, different from Google and Facebook. In this case, it is only possible to request from time to time something available to your annex. After the expiry of the current period, the service will be issued in response to a mistake of 400 with error=invalid_grant - in which case the application shall re-export the user to the service application authentication form to obtain a new access current.Yeah, well. That's what a lot of people do. By the way, copying has been working on most sites since the Internet was established. Login-couple is transferred to the service only once, some token (e.g., heh, anything) is returned, it is retained in storage (e.g. cookies), and the token itself is used for copying in the next time. Presided emails and passwords for such a token are not allowed to change.Not only. The main purpose of the application registration is to enable the Administration to disable all the annex of the developer in connection with the implementation of the annex of any harmful actions or in the case of a mass compromising of the users of the annex. No, not on the application server. The application server simply sends a refresher service and gets a new access-token.

You're generating CSRF-ocken. sidI've been named every time. Of course they will never be equal.There are two ways to solve the problem:Install CSRF-tocken after all the content is generated but before it goes. It's not your approach, because your HTML code is php-box. If you used, say, a template, this approach could look like:session_start(); $response = generate_body(); // тут происходит вся обработка // тут можно выставить какие-нибудь заголовки $_SESSION["sid"] = md5(time() . rand(0, 10000)); echo $response Remind the previous meaning of the token and compare it to it.$previous_token = $_SESSION["sid"]

That's impossible.At least without challenges strtok♪Speaking of which, strtok() irreversibly alters its argument (write zero after another token).As an alternative to strtok, I can draw attention to http://pastebin.com/6XBP0KZH (documentation (as in fact always:) is missing, but there's nothing complicated there, I think you'll figure it out).

Actually, https://ru.wikipedia.org/wiki/%D0%9C%D0%B5%D0%B6%D1%81%D0%B0%D0%B9%D1%82%D0%BE%D0%B2%D0%B0%D1%8F_%D0%BF%D0%BE%D0%B4%D0%B4%D0%B5%D0%BB%D0%BA%D0%B0_%D0%B7%D0%B0%D0%BF%D1%80%D0%BE%D1%81%D0%B0 -Protection. So you don't get any real requests from your website.

Try adding this design to the code:if (data === undefined) { data = {}; } data.token = '123';

using System.Collections.Generic; using System.Windows.Forms; using System.Data.SqlClient; using System.IO; using System.Net; using System; using Newtonsoft.Json.Linq; using System.Security.Cryptography.Pkcs; using System.Security.Cryptography.X509Certificates; namespace Check_SSCC { public partial class Form1 : Form { const String signerName = "*****@*****.***", //Константа для поиска сертификата, легче всего взять e-mail client_secret = "********-****-****-****-************", //Взят из ЧЗ client_id = "********-****-****-****-************", //Взят из ЧЗ user_id = "****************************************", //Можно взять как на ЧЗ, так и самому посмотреть (отпечаток сертификата) auth_type = "SIGNED_CODE"; //Взят из ЧЗ public Form1() { InitializeComponent(); } private void button1_Click(object sender, EventArgs e) { string MyToken = token(); . . . // Дальше делаем что хотели } private string token() { //code dynamic stuff, stuff2; string code_json, token_json; var httpWebRequest = (HttpWebRequest)WebRequest.Create("https://api.mdlp.crpt.ru/api/v1/auth"); httpWebRequest.ContentType = "application/json"; httpWebRequest.Method = "POST"; using (var streamWriter = new StreamWriter(httpWebRequest.GetRequestStream())) { string json = "{\"client_secret\":\""+ client_secret + "\","+ "\"client_id\":\""+ client_id + "\","+ "\"user_id\":\""+ user_id + "\","+ "\"auth_type\":\""+ auth_type + "\"}"; streamWriter.Write(json); } var httpResponse = (HttpWebResponse)httpWebRequest.GetResponse(); using (var streamReader = new StreamReader(httpResponse.GetResponseStream())) { code_json = streamReader.ReadToEnd(); stuff = JObject.Parse(code_json); } //signature // Переводим исходное сообщение в массив байтов. byte[] msgBytes = System.Text.Encoding.Unicode.GetBytes(Convert.ToString(stuff.code)); //Поиск сертификата X509Certificate2 signerCert = GetSignerCert(); //создаем подпись byte[] encodedSignature = SignMsg(msgBytes, signerCert); string signature = Convert.ToBase64String(encodedSignature); //token var httpWebRequest2 = (HttpWebRequest)WebRequest.Create("https://api.mdlp.crpt.ru/api/v1/token"); httpWebRequest2.ContentType = "application/json"; httpWebRequest2.Method = "POST"; using (var streamWriter2 = new StreamWriter(httpWebRequest2.GetRequestStream())) { string json2 = "{\"code\":\"" + Convert.ToString(stuff.code) + "\",\"signature\":\"" + signature + "\"}"; streamWriter2.Write(json2); } var httpResponse2 = (HttpWebResponse)httpWebRequest2.GetResponse(); using (var streamReader2 = new StreamReader(httpResponse2.GetResponseStream())) { token_json = streamReader2.ReadToEnd(); stuff2 = JObject.Parse(token_json); } string token = Convert.ToString(stuff2.token); return token; } // Открываем хранилище 'My' и ищем сертификат // для подписи сообщения. Сертификат должен // иметь поля Субъект (subject name) "*****@****.***". static public X509Certificate2 GetSignerCert() { // Открываем хранилище My. X509Store storeMy = new X509Store(StoreName.My, StoreLocation.CurrentUser); storeMy.Open(OpenFlags.ReadOnly); // Ищем сертификат для подписи. X509Certificate2Collection certColl = storeMy.Certificates.Find(X509FindType.FindBySubjectName, signerName, false); // Проверяем, что нашли требуемый сертификат if (certColl.Count == 0) { MessageBox.Show("Сертификат не найден"); } storeMy.Close(); // Если найдено более одного сертификата, // возвращаем первый попавшийся. return certColl[0]; } // Подписываем сообщение секретным ключом. static public byte[] SignMsg(Byte[] msg, X509Certificate2 signerCert) { // Создаем объект ContentInfo по сообщению. // Это необходимо для создания объекта SignedCms. ContentInfo contentInfo = new ContentInfo(msg); // Создаем объект SignedCms по только что созданному // объекту ContentInfo. // SubjectIdentifierType установлен по умолчанию в // IssuerAndSerialNumber. // Свойство Detached устанавливаем явно в true, таким // образом сообщение будет отделено от подписи. SignedCms signedCms = new SignedCms(contentInfo, true); // Определяем подписывающего, объектом CmsSigner. CmsSigner cmsSigner = new CmsSigner(signerCert); // Подписываем CMS/PKCS #7 сообщение. signedCms.ComputeSignature(cmsSigner); // Кодируем CMS/PKCS #7 подпись сообщения. return signedCms.Encode(); } } } All you need is:change Constants;insert string MyToken = token() in its event;Copy functions private string token()♪ static public X509Certificate2 GetSignerCert() and static public byte[] SignMsg(Byte[] msg, X509Certificate2 signerCert);Set Newtonsoft package. Json (JPON is easier, used it).

User - it's one account. Bot - Just the same account as the user, just automated. Library discord.py There's a way to automate the user. https://discordpy.readthedocs.io/en/stable/ext/commands/api.html#discord.ext.commands.Bot.self_bot I'm sure you can't get another user's object using your token. And as the commentators have said above, for the use of selph-bots, i.e., bot users, you can get a permanent banana from Discord if someone complains about you. So it's it's best to just develop a bot, not a selph-bot, and not find adventures. Good luck!