69°F

Aaron Parecki

  • Articles
  • Notes
  • Photos

Thursday, May 4, 2017

← Older → Newer
  • 10:17pm
    Asleep
    5:47am
    Awake
    7h 30m
    Slept
    21m
    Awake for
    Portland, Oregon, USA
    Thu, May 4, 2017 5:47am -07:00
  • Patrick Schaller http://F3Development.com   •   May 4
    @aaronpk I was just reading your article https://goo.gl/IF9r2O which was helpful. Is using SafariViewController the only safe auth on iOS?
    Aaron Parecki
    @rogue__leader Thanks! That, or launching Safari or the service's native application. SafariViewController will provide the best UX.
    Portland, Oregon
    4 replies
    Thu, May 4, 2017 10:13am -07:00 #oauth2
  • Patrick Schaller http://F3Development.com   •   May 4
    Awesome! I'm getting a lot of push back on the visible URL. I'm wondering how/why so many mobile apps don't show it. Thoughts?
    Aaron Parecki
    @rogue__leader Prior to SafariViewController, devs weren't willing to bounce ppl out of the app, the only other way to have a visible URL
    Portland, Oregon
    2 replies
    Thu, May 4, 2017 10:17am -07:00
  • Patrick Schaller http://F3Development.com   •   May 4
    Awesome! I'm getting a lot of push back on the visible URL. I'm wondering how/why so many mobile apps don't show it. Thoughts?
    Aaron Parecki
    @rogue__leader The problem with embedded WebView is users will have to type their password there anyway, since it doesn't share cookies
    Portland, Oregon
    Thu, May 4, 2017 10:17am -07:00
  • Patrick Schaller http://F3Development.com   •   May 4
    Awesome! I'm getting a lot of push back on the visible URL. I'm wondering how/why so many mobile apps don't show it. Thoughts?
    Aaron Parecki
    @rogue__leader SafariViewController is the best of both worlds. Visible URL, no bouncing out of application, shared cookies.
    Portland, Oregon
    1 reply
    Thu, May 4, 2017 10:18am -07:00
  • Patrick Schaller http://F3Development.com   •   May 4
    Sorry, I meant I'm being told the URL can't be visible and they are holding up other mobile apps login as examples that do not show it.
    Aaron Parecki
    @rogue__leader Yeah sorry, 140 chars isn't enough ๐Ÿ˜ญ

    Before SFSafariView, the only way to securely do OAuth was to launch the native Safari browser. This meant you'd get bounced out of the app, which a lot of developers didn't want to do to their users. I don't disagree that this was a bad experience, and plenty of people feel the same.

    What ended up happening is people instead started embedding the WebView into their apps, in order to avoid having their users bounce out of the app and come back. The compromise in this case is that people would have to type their password to log in, because the embedded WebView doesn't share cookies with the system browser.

    It took Apple a long time to roll out SFSafariView, so there are just a lot of apps out there that still have the embedded WebView.

    Advantages of WebView:
    • Does not make the user leave the app to complete the OAuth flow

    Problems with WebView:
    • User has no way to verify they are on the real website, so phishing attacks are undetectable
    • Does not share system cookies, so users have to type their password every time

    Advantages of SFSafariView:
    • Does not make the user leave the app to complete the OAuth flow
    • The user can see the address bar so can verify they're on the correct website
    • Shares system cookies, so the user won't have to type their password if they've already signed in using the native Safari app

    I should probably turn this into a proper blog post.
    Portland, Oregon
    2 replies
    Thu, May 4, 2017 10:47am -07:00 #oauth2
  • Patrick Schaller http://F3Development.com   •   May 4
    WOW, thank you so much! Do you know, offhand, of any mobile apps doing Auth this way?
    Aaron Parecki
    @rogue__leader The Google Inbox and Voice apps do it! I know I've used a couple more, but can't remember off-hand.
    Portland, Oregon
    5 replies
    Thu, May 4, 2017 11:17am -07:00
  • Patrick Schaller http://F3Development.com   •   May 4
    Awesome, Iโ€™ll check those out. Business doesnโ€™t understand why I canโ€™t do this in a way that doesnโ€™t show URL. Since itโ€™s our app and API.
    Aaron Parecki
    @rogue__leader Yeah the Google case is interesting since they're doing it with their own apps!
    Portland, Oregon
    2 replies
    Thu, May 4, 2017 11:22am -07:00
  • Patrick Schaller http://F3Development.com   •   May 4
    Yeah... Does that mean there are alternatives to SFSafariView if you own the app and API?
    Aaron Parecki
    @rogue__leader Well for first-party apps there isn't really a phishing risk, it's normal to type your password into the service's own app.
    Portland, Oregon
    Thu, May 4, 2017 11:31am -07:00
  • Patrick Schaller http://F3Development.com   •   May 4
    Yeah... Does that mean there are alternatives to SFSafariView if you own the app and API?
    Aaron Parecki
    @rogue__leader so some services use the password grant to exchange a un+pw for a token, and build the login interface natively.
    Portland, Oregon
    1 reply
    Thu, May 4, 2017 11:32am -07:00
  • Aaron Parecki
    ๐ŸŽฅ๐ŸŽ‰ โœ We recorded 912gb of raw video during @CSVConference! โœ๐ŸŽ‰๐ŸŽฅ #csvconf
    Portland, Oregon
    31 likes 7 reposts 2 replies 1 mention
    Thu, May 4, 2017 2:35pm -07:00 #csvconf
  • Erica Allison http://helloerica.com
    Cactus update
    Portland, Oregon
    Thu, May 4, 2017 9:14am -08:00 (liked on Thu, May 4, 2017 2:56pm -07:00)
  • I Deleted My Blog and Built a Store – Mr. Mike Merrill – Medium (medium.com)
    Thu, May 4, 2017 2:59pm -07:00 #indieweb #kmikeym
  • Maniac Morning May 4

    I am on the fence about whether to count today's sprint towards this goal. I started this morning by diving into catching up on accounting in my 3 Quickbooks files, which is something I've been trying to get better about doing regularly since I finally filed my taxes on time for the first time in 6 years. I spent a little over 2.5 hours on the accounting, and managed to get all caught up. (Of course I didn't screenshot that for obvious reasons.) So on that front, it was a successful morning. However, it was also over 80 degrees today which is way hotter than my comfort level and we don't have A/C in the apartment. This led to a relatively unproductive afternoon, and I never got enough energy up to do anything more creative. So on that front, I didn't make progress on my more interesting projects today. Overall, at least I have another data point to reaffirm that I am definitely more productive in the mornings!
    continue reading...
    Thu, May 4, 2017 9:27pm -07:00 #mmm
← Older → Newer

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • ๐ŸŽฅ YouTube Tutorials and Reviews
  • ๐Ÿ  We're building a triplex!
  • โญ๏ธ Life Stack
  • โš™๏ธ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv