Let's fix OAuth in MCP
Let's not overthink auth in MCP.
continue reading...
WeChat ID
aaronpk_tv
Aaron Parecki
Hi, I'm Aaron, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)
I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.
-
Director of Identity Standards at
Okta
-
IndieWebCamp
Founder
-
OAuth WG Editor
-
OpenID
Board Member
- π₯ YouTube Tutorials and Reviews
- π We're building a triplex!
- βοΈ Life Stack
- βοΈ Home Automation
-
Is it just me or does this current Model Context Protocol wave remind anyone of the early Web 2.0 days of everyone launching open APIs?
-
In case you missed it, our IPSIE webinar recording is now available! I had a great time chatting with Dean H. Saxe, George Fletcher, Gail Hodges, and Jeff Reich about what IPSIE is, why profiling existing specifications is so important, and the progress the working group has made so far! Thanks for the great conversation!
IPSIE:
Interoperability
Profile for
Secure
Identity in the
Enterprise
https://www.brighttalk.com/webcast/18458/636068 -
Chase sends 8-digit 2fa SMS codes, which seems excessive compared to the 6 that most other places use, but even weirder is that the first digit of them has always been the same, effectively making it a 7 digit code. Anyone know what's up with that?
-
At long last, the OAuth working group has finished the Best Current Practice for OAuth 2.0 Security and it was just published as RFC9700! This has been a long time in the works, and I'm very thankful to everyone who has helped out with it over the years!
https://www.rfc-editor.org/rfc/rfc9700.html
This is one of the major inputs to OAuth 2.1, so I'm also very excited to be able to move that forward this year as well! -
Congrats to BlueSky for launching OAuth support for apps! π https://docs.bsky.app/blog/oauth-atproto
-
Love seeing more US banks adopting OAuth!
-
Someone broke through the chain link fence last week, in broad daylight, while I was home, and didn't notice at the time.
I started thinking about what I could do about it, and it turns out the EA Unifi cameras have a new webhook feature. So now my cameras send a webhook to Home Assistant when someone crosses a virtual line, and it will trigger the siren. Since this is a line crossing event, not generic person detection, I can leave it armed 24/7, since nobody should be in that area at all. -
My IETF 120 Agenda
The sessions I will be attending and presenting at during IETF 120 in Vancouvercontinue reading... -
So #Identiverse is using an AI tool to summarize all the conference talks and it works about as terribly as you'd imagine.
Nowhere in my talk did I say "OAuth 3.0", nor did I say anything about global privacy regulation compliance. It straight up hallucinated quotes from me. π€¦ββοΈ
-
FedCM for IndieAuth
IndieWebCamp Düsseldorf took place this weekend, and I was inspired to work on a quick hack for demo day to show off a new feature I've been working on for IndieAuth.continue reading... -
OAuth for Browser-Based Apps has entered Working Group Last Call! Please share your comments in the next 2 weeks, even if it's just a general voice of support!
https://aaronparecki.com/2024/05/02/5/oauth-browser-based-apps-last-call -
OAuth for Browser-Based Apps Working Group Last Call!
The draft specification OAuth for Browser-Based Applications has just entered Working Group Last Call!continue reading... -
OAuth: "grant" vs "flow" vs "grant type"
Is it called an OAuth "grant" or a "flow"? What about "grant type"?continue reading... -
This is a good writeup on some sneaky vulnerabilities in OAuth implementations, but ultimately is just a simple access token injection attack: https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts
-
The deadline to submit drafts ahead of the IETF meeting in November just passed, and I submitted my last one with 30 minutes to spare! Here are all the docs I'll be discussing:
https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html
https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-01.html
https://www.ietf.org/archive/id/draft-parecki-oauth-first-party-apps-00.html
https://www.ietf.org/archive/id/draft-parecki-oauth-metadata-for-nested-flows-00.html -
OAuth for Browser-Based Apps Draft 15
After a lot of discussion on the mailing list over the last few months, and after some excellent discussions at the OAuth Security Workshop, we've been working on revising the draft to provide clearer guidance and clearer discussion of the threats and consequences of the various architectural patterns in the draft.continue reading... -
Now that @1Password launched passkey support *and* it's integrated into iOS 17 with the 1Password app, I feel like I can finally actually take the plunge and set up passkeys everywhere!
No more passwords! and the login UX is so much better too!
