Continuing last weekend's documentation of all the un-specified ... • Aaron Parecki

53°F

Continuing last weekend's documentation of all the un-specified parts of OAuth 2.0, things were going pretty well until I hit the "Security Considerations" section, which basically recommends but doesn't require a whole bunch of things. Basically this means an API can be fully OAuth 2.0 compliant and also completely insecure.

If you want to know more, keep an eye out for this blog post. Or hire me as an independent OAuth consultant and I'd gladly spend a day with you.

Portland, Oregon, USA

Sat, Nov 22, 2014 7:23pm -08:00 #oauth2 #oauth

14 likes 6 replies
Have you written a response to this? Let me know the URL:
- ĎÚβĨŐÚŚ Dod DubiousDod.org/indie
  
  @aaronpk “Basically this means an API can be fully OAuth 2.0 compliant and also completely insecure”. Amen to tha… dubiousdod.org/indie/2014/11/…
  
  Sun, Nov 23, 2014 9:21pm +00:00 (via brid-gy.appspot.com)
- The Dod dubiousdod.org/indie
  IM IN UR SOSHAL Stream Articles Photos Bookmarks Check-ins Everything Mentions Contacts Aaron Parecki &bullet; aaronparecki.com Continuing last weekend's documentation of all the un-specified parts of OAuth 2.0, things were going pretty well until I hit the "Security Considerations" section, which basically recommends but doesn't require a whole bunch of things. Basically this ... “Basically this means an API can be fully OAuth 2.0 compliant and also completely insecure”. Amen to that: “Framework, not protocol, they said. Coming a mess big frameworks authorization in” Homakov, Yoda, et al, 2013 :) security privacy identity lol fail November 24, 2014 4:20am ICT Also on Twitter Reply Repost Like Mentioned this post? The Dod This facet of my site (and personality) tries to blend into the IndieWebCamp universe. I hope to keep getting better at this. Wish me luck. I have many other aspects. Most are private. Sign In This site is powered by Red Wind and Flask. Proudly part of the #indieweb. Want to leave a comment? Send me a webmention! window.SITE_ROOT = 'https://dubiousdod.org/indie';
  Mon, Nov 24, 2014 4:20am +07:00
- Aaron Parecki facebook.com/11500459
  
  Heh sure, when?
  
  Sun, Nov 23, 2014 2:46pm +00:00 (via brid-gy.appspot.com)
- Robin Jones Maloney facebook.com/745329739
  
  Want to come to NYC with me and help a customer sort this out? Seriously!
  
  Sun, Nov 23, 2014 2:17pm +00:00 (via brid-gy.appspot.com)
- Alex Kawas facebook.com/3324802
  
  I remember reading that section about a year ago when I thought I found a privilege escalation vulnerability in an oauth2 API. Standards should be standard...
  
  Sun, Nov 23, 2014 5:12am +00:00 (via brid-gy.appspot.com)
- Josh Highland facebook.com/674843583
  
  I like your style
  
  Sun, Nov 23, 2014 4:57am +00:00 (via brid-gy.appspot.com)

Posted in /notes