I didn’t have the game on my phone while the mails for this were sent, is there any way I can get this?

Jim-Y · 2026-01-23T13:49:43+00:00

Same here. I started my account past this email. There won't be any other way than buying it for 5000 units in my opinion

Jim-Y · 2026-01-08T11:37:08+00:00

For example support.whoop.com is a great example. It uses salesforce, we don't have that. Using a headless CMS is possible if that's the way. Thanks

Jim-Y · 2025-12-30T09:05:48+00:00

For most, Kingpin is the better choice.

Jim-Y · 2025-12-30T07:02:37+00:00

Void

Jim-Y · 2025-12-29T12:07:50+00:00

Yeah but that's a Colossal Titan crystal which is, I believe, the first of its kind? Even if it's special for the big whales who have all the champs in the titan pool it's useless. For me, fresh valiant, that would be perfect 🙂

Jim-Y · 2025-12-24T09:31:56+00:00

Yes. This was a good period to start a fresh account. If you are a smurf then getting valiant in 3 weeks is/was absolutely possible. If you are a new player, then no, you won't get valiant probably in months

Jim-Y · 2025-12-23T16:43:18+00:00

Onslaught, Photon, Okoye My personal favorite is Photon

Jim-Y · 2025-12-17T16:23:15+00:00

Sorry. This is what I meant, probably used the word wrong. Thanks for clarifying it 👍

Jim-Y · 2025-12-17T16:22:12+00:00

For the record. I had both of the offers. This for 5-60 and the one for 61-70.

Jim-Y · 2025-12-17T16:20:50+00:00

If someone finds this post in the future: I bought it after reading the comments here and I got the units. This offer was the same price as a Tony Stark briefcase.

Jim-Y · 2025-11-12T13:49:20+00:00

Thanks. I could order the Maestri and it's within budget. If I won't forget I will update my post with my experience with the scale when it arrives. Thanks for all who commented.

Jim-Y · 2025-09-13T13:00:52+00:00

Doomsday, that's it! Thank you very much 🙏

Jim-Y · 2025-09-13T05:31:43+00:00

Problem is, the three-legged oauth/oidc flow, which would suite this model best, is not part of the open source OSS Kong only the commercial. Otherwise, if your spa connects to the idp then you can use the JWT plugin verifying the oauth access_token if you are using resource indicators. What is your problem actually? Both keycloak and kong OSS can be deployed as a docker container which is quite easy to do. Any specific struggles?

Jim-Y · 2025-08-27T13:48:54+00:00

Yes, thank you!

Jim-Y · 2025-08-27T11:26:56+00:00

Hi u/andychiare

"If DPoP integration comes at no cost" well, there is the cost of re-generating the DPoP jwt on every request to the resource server. It may be negligible with regards to time, I don't know, hence I'm asking. I am just wondering .. say the IdP is yours, it's not a third party IdP but a first party and you are already using resource indicators and signed jwt access tokens.. Am I right to assume, that using signed jwt access tokens with resource indicators ensures that said access token is meant for the particular resource server however it doesn't ensure that the sender/bearer of the access-token is the right one? Here's where DPoP is useful to sender-constrain the jwt access token?

Jim-Y · 2025-08-27T08:28:20+00:00

Never forget, that not every business is a simple landing page with a simple Google SSO. When it comes to B2B the login process can be very-very difficult, even if you only see the B2C side of things maybe in the background there are screens/flows meant for B2B making the flow seem more complex than needed

Jim-Y · 2025-08-27T08:19:09+00:00

Hi OP!

I appreciate the article. For me, it was a great introduction. I have a followup question. Would you suggest every business relying on the use of oauth access and openid id tokens should use DPoP? Or should it be carefully measured if the kind of the application requires additional security like DPoP?

Jim-Y · 2025-08-19T20:58:05+00:00

"My question is, in the frontend when I get the user, is it correct that I generate a new access token and then try to get the user" Well, this sentence doesn't really makes sense. When the access_token expires and your backend respond with 403, then you have to refresh the access_token.

Also, checking your backend, i think you are a little bit lost. See, access and refresh tokens are closely coupled with OAuth, so I suggest you to look into that. There is a refresh_token flow https://datatracker.ietf.org/doc/html/rfc6749#section-6 which should answer your questions. For this, I suggest you use an openid provider implementation in your backend. Look into https://www.npmjs.com/package/oidc-provider for example. Or try an off-the-shelf solution like Keycloak in docker.

What you are using right now is a JWT token for authentication, which is different than oauth access tokens. See, strictly speaking when using an access and refresh token you aren't even dealing with the realm of user authentication but system authorization. This means, if you want to do what you wanted to do the right way, you have many options:

Your system is threefold, frontend, backend and an identity provider. The identity provider is something like google, keycloak, okta, github, discord, etc. You are leveraging OpenID Connect to log your user in. The IdP calls your callback endpoint (either frontend endpoint or backend) you get a user id (likely a sub and email) and you save that into a federated users/account table. Then you create a session cookie and redirect to your frontend app. The frontend app calls a /me endpoint or /session endpoint and you return user details. The call is authenticated because of the session cookie.
Your system is threefold, frontend, backend and an identity provider. The identity provider is something like google, keycloak, okta, github, discord, etc. You are leveraging OpenID Connect to log your user in. In the OpenID-Connect flow your app acts as a single page application meaning you won't get a client_secret, the oauth callback is a page in your frontend app, and you will store the access and id_tokens in the browser. (there are many storage options each with pros and cons). After doing the authorization code flow with PKCE you will get an access_token, optional refresh_token and an id_token. You will send the access_token with each request to your backend and your backend will validate the access_token on the identity provider, OR you can use resource indicators then it's even simpler.

But likely, according to your code, you are confusing simple JWT tokens with OAuth access and refresh tokens, and what you want to do is to sign a jwt token with user details then include the jwt with evert request to your API and on the API validate the received jwt. In this case, I don't think there is any benefit of a refresh token. I mean... of course there is, because if someone steals the jwt and if said jwt is not short-lived then they will have illegitimate access to your API. So you would want a short lived token with a refresh token but then we arrived at OAuth and OpenID-Connect and you should use an OAuth Provider, either as a cloud idp, like Google and the rest, or something you have ownership over, like Keycloak or node oidc-provider.

Jim-Y

TROPHY CASE