In this article we will talk about

  • OAuth 2.0 Public clients with focus on native apps
  • PKCE extension to the Authorization Code grant type- specifically how it mitigates the code interception attack
  • Managing Refresh Tokens for native apps — verifying client Identity

This article assumes some level of familiarity with OAuth2 and Authorization Code Grant flow in particular.

What is a Public Client?

Public clients fall in two categories — native apps or javascript apps (also called SPA or user-agent based application)

Native applications are clients installed and executed on resource owner device e.g. desktop and mobile apps.

The key thing to note about Public…

This series of posts and associated code is aimed at removing the mystery of SAML implementation and highlight what is happening in the common SAML workflows.

What is SAML?

  • Security Assertion Markup Language (better known as its acronym, SAML) is a protocol for authenticating to web applications.

But why do we need such a protocol?

  • Imagine you build a web application which you would want to sell to Enterprises.
  • Now, as the users (say employee of this company) access your application, you would like them to authenticate against the company login system.

🔥 Of course the other choice is that users register with your application and then your app maintains their…

Google Protobuf development guide notes the following —

Protocol Buffers are not designed to handle large messages. As a general rule of thumb, if you are dealing in messages larger than a megabyte each, it may be time to consider an alternate strategy.

This blog walks through implementation of one such strategy. Basic familiarity with Go and Protobuf is assumed

The Message

Lets define a simple message, Book as following —

message Book {    string title = 1;    string author = 2;    string isbn = 3;    string overview =4;

Goal : We would like to marshal arbitrarily large number of Book…

This tutorial provides a basic Go introduction to working with protocol buffer Oneof field type. This can come in handy, when dealing with messages carrying values, which can be one of many given types. Another use case is message values representing a collection of heterogenous types.

Pre-requisite : This post assumes reader has basic understanding of Go and Protobuf.

Defining the Message

  • Lets define a message that contains a collection of patching instructions
  • Each patching instruction can either be a Copy operation or an Insert operation. These are heterogenous types

This is a good use of Oneof type. …

Why do we need Rate Limiting?

Picture this : You have a service with a great REST API, and its being used by many clients. These could be services within your own organization or some third party applications.

It’s all going good but one day lightening strikes.

Users are complaining of high latency and your service being unavailable intermittently. You investigate and find out that one of your clients was hitting your API 10X times than its normal request rate, that led to 100% CPU utilisation on your DB and other resources. When that client cools off, things become normal. …

There is tonne of information available on Go Concurrency and context usage like the context package, this blog and this but it can be a bit overwhelming. This article attempts to explain Context via a simple but perhaps the most common use case you would find in Microservices architecture.


Article assumes that Reader is familiar with Goroutines, channels and HTTP

Why Context?

The primary idea behind context is the ability to cancel unneeded work.

  • A calls B
  • B starts to do work
  • While B is working, A no longer needs the result either because B is slow, or A’s caller no longer…

Image courtesy :

Part II of the tutorial dealt with complex CORS requests and pre-flight check by the browsers. In this final part, we look at dealing with cookies in CORS . We will also look at subtle differences between same site and same origin and how it impacts cookie behaviour.


By default, Cookies are neither set nor sent in CORS Requests. Let’s see that in a bit more detail.

The Cookie Demo Page

  • Its a simple HTML page served by the PageServer, which allows you to play with different scenarios
  • What we are going to do is first make a request to APIServer for user “john”…

Image courtesy :

Continuing from Part-I where we successfully handled a cross-origin “simple” request, lets see what non-simple requests are and what we can do to enable support for such requests.

Example #2 — Complex Requests

Starting from where we left off. We were running a PageServer serving HTML pages and an APIServer serving GetUser API call to return User JSON.

Lets see what happens when we now try to create a user using Javascript

  • Point your browser to createUser.html . You should see something like this

Image courtesy :

Richer and interactive web pages today are built using dynamic client side scripting. It’s extremely common to have the javascript in the page interact with different web APIs transparently, to provide a smooth experience to the user. But when the script in your page needs to interact with APIs that belong to a “different” origins then it comes in conflict with browser’s same origin policy.

This article aims to provide a complete hands-on tutorial to help you understand CORS in detail, as well as what is needed to support Cross Origin request by Servers


To try live demos as you…


In the previous article, we looked at how a JWS RSA signature can be validated by fetching information about the public key via a JWK. We overlooked certain aspects which we will discuss in this article to get a deeper understanding.

So lets take a look again at our JWK, which defined the key used to sign the sample JWT we had -

{"alg": "RS256","kty": "RSA","use": "sig","x5c": ["MIIDBzCCAe+gAwIBAgIJakoPho0MJr56MA0GCSqGSIb3DQEBCwUAMCExHzAdBgNVBAMTFmRldi1lanRsOTg4dy5hdXRoMC5jb20wHhcNMTkxMDI5MjIwNzIyWhcNMzMwNzA3MjIwNzIyWjAhMR8wHQYDVQQDExZkZXYtZWp0bDk4OHcuYXV0aDAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzkM1QHcP0v8bmwQ2fd3Pj6unCTx5k8LsW9cuLtUhAjjzRGpSEwGCKEgi1ej2+0Cxcs1t0wzhO+zSv1TJbsDI0x862PIFEs3xkGqPZU6rfQMzvCmncAcMjuW7r/Zewm0s58oRGyic1Oyp8xiy78czlBG03jk/+/vdttJkie8pUc9AHBuMxAaV4iPN3zSi/J5OVSlovk607H3AUiL3Bfg4ssS1bsJvaFG0kuNscoiP+qLRTjFK6LzZS99VxegeNzttqGbtj5BwNgbtuzrIyfLmYB/9VgEw+QdaQHvxoAvD0f7aYsaJ1R6rrqxo+1Pun7j1/h7kOCGB0UcHDLDw7gaP/wIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQwIoo6QzzUL/TcNVpLGrLdd3DAIzAOBgNVHQ8BAf8EBAMCAoQwDQYJKoZIhvcNAQELBQADggEBALb8QycRmauyC/HRWRxTbl0w231HTAVYizQqhFQFl3beSQIhexGik+H+B4ve2rv94QRD3LlraUp+J26wLG89EnSCuCo/OxPAq+lxO6hNf6oKJ+Y2f48awIOxolO0f89qX3KMIkABXwKbYUcd+SBHX5ZP1V9cvJEyH0s3Fq9ObysPCH2j2Hjgz3WMIffSFMaO0DIfh3eNnv9hKQwavUO7fL/jqhBl4QxI2gMySi0Ni7PgAlBgxBx6YUp59q/lzMgAf19GOEOvI7l4dA0bc9pdsm7OhimskvOUSZYi5Pz3n/i/cTVKKhlj6NyINkMXlXGgyM9vEBpdcIpOWn/1H5QVy8Q="…


Software Factotum

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store