WeChat ID
aaronpk_tv
Aaron Parecki
Hi, I'm Aaron, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)
I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.
-
Director of Identity Standards at
Okta
-
IndieWebCamp
Founder
-
OAuth WG Editor
-
OpenID
Board Member
- π₯ YouTube Tutorials and Reviews
- π We're building a triplex!
- βοΈ Life Stack
- βοΈ Home Automation
-
Here for MCP Night
-
Enterprise-Ready MCP
I've seen a lot of complaints about how MCP isn't ready for the enterprise.continue reading... -
In two weeks I'll be speaking at the MCP Dev Summit in San Francisco! It's going to be a great day packed with back to back sessions.
In less than a year, the MCP project has quickly reshaped how developers are building AI agents. My talk, "Intro to OAuth for MCP Servers", will cover the basics of the new MCP authorization protocol and set the stage for building secure MCP servers.
https://mcpdevsummit.ai/#agenda -
Is it just me or does this current Model Context Protocol wave remind anyone of the early Web 2.0 days of everyone launching open APIs?
-
In case you missed it, our IPSIE webinar recording is now available! I had a great time chatting with Dean H. Saxe, George Fletcher, Gail Hodges, and Jeff Reich about what IPSIE is, why profiling existing specifications is so important, and the progress the working group has made so far! Thanks for the great conversation!
IPSIE:
Interoperability
Profile for
Secure
Identity in the
Enterprise
https://www.brighttalk.com/webcast/18458/636068 -
Chase sends 8-digit 2fa SMS codes, which seems excessive compared to the 6 that most other places use, but even weirder is that the first digit of them has always been the same, effectively making it a 7 digit code. Anyone know what's up with that?
-
At long last, the OAuth working group has finished the Best Current Practice for OAuth 2.0 Security and it was just published as RFC9700! This has been a long time in the works, and I'm very thankful to everyone who has helped out with it over the years!
https://www.rfc-editor.org/rfc/rfc9700.html
This is one of the major inputs to OAuth 2.1, so I'm also very excited to be able to move that forward this year as well! -
Congrats to BlueSky for launching OAuth support for apps! π https://docs.bsky.app/blog/oauth-atproto
-
Love seeing more US banks adopting OAuth!
-
Someone broke through the chain link fence last week, in broad daylight, while I was home, and didn't notice at the time.
I started thinking about what I could do about it, and it turns out the EA Unifi cameras have a new webhook feature. So now my cameras send a webhook to Home Assistant when someone crosses a virtual line, and it will trigger the siren. Since this is a line crossing event, not generic person detection, I can leave it armed 24/7, since nobody should be in that area at all. -
My IETF 120 Agenda
The sessions I will be attending and presenting at during IETF 120 in Vancouvercontinue reading... -
So #Identiverse is using an AI tool to summarize all the conference talks and it works about as terribly as you'd imagine.
Nowhere in my talk did I say "OAuth 3.0", nor did I say anything about global privacy regulation compliance. It straight up hallucinated quotes from me. π€¦ββοΈ
-
FedCM for IndieAuth
IndieWebCamp Düsseldorf took place this weekend, and I was inspired to work on a quick hack for demo day to show off a new feature I've been working on for IndieAuth.continue reading... -
OAuth for Browser-Based Apps has entered Working Group Last Call! Please share your comments in the next 2 weeks, even if it's just a general voice of support!
https://aaronparecki.com/2024/05/02/5/oauth-browser-based-apps-last-call -
OAuth for Browser-Based Apps Working Group Last Call!
The draft specification OAuth for Browser-Based Applications has just entered Working Group Last Call!continue reading... -
OAuth: "grant" vs "flow" vs "grant type"
Is it called an OAuth "grant" or a "flow"? What about "grant type"?continue reading... -
This is a good writeup on some sneaky vulnerabilities in OAuth implementations, but ultimately is just a simple access token injection attack: https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts
