44°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • OAuth for the Open Web

    July 7, 2018

    OAuth has become the de facto standard for authorization and authentication on the web. Nearly every company with an API used by third party developers has implemented OAuth to enable people to build apps on top of it.

    While OAuth is a great framework for this, the way it has ended up being used is much more centralized and closed than prior efforts like OpenID 1. Every service that spins up an OAuth-enabled API ends up being its own isolated system. For example, if I want to build an app that can read someone's step count from FitBit, I have to first go register as a developer on FitBit's website in order to get API keys to use with their OAuth API. 

    This works okay for major services like Google, Twitter, Facebook, and even FitBit, but breaks down when you start to consider use cases like having someone's personal WordPress blog be its own OAuth server. If I want to build an app that lets you upload photos to your WordPress site, I'm obviously not going to be able to register for API keys on everyone's own WordPress installations. Enabling third party clients to be built against systems like WordPress or Mastodon opens up a huge possibility for some really interesting things. The trick is always how do these apps authenticate the user or obtain a token they can use to access those APIs.

    This post details a few specific challenges with OAuth preventing it from being used by independent websites, as well as the solutions to each.

    Client Registration

    The first major hurdle to overcome is the need for the developer to register to get API keys for the service. In a world where everyone's own website is its own OAuth server, it's obviously not practical to have an app developer register API keys at each.

    In OAuth, client registration gives us a few specific things:

    • Provides a unique ID that is used to identify the app throughout the OAuth process, called the client ID
    • Provides a place to enter the name and icon for the app which is displayed during login
    • Registers one or more redirect URLs for security
    • For "confidential clients" (web server apps), registration also provides the client with a client secret

    Note that in traditional OAuth, client secrets are not used by mobile apps or JavaScript apps, and OAuth servers will often not even issue secrets to those types of apps. Since we're trying to avoid registration entirely, we can also just avoid using client secrets at all, and leverage the same protections OAuth already has in place for clients that can't use a secret.

    In order to avoid registration, we need a solution for the first three bullet points above.

    Client ID: Every application needs a unique identifier. If we're talking about turning every website into an OAuth provider, we need a way to have globally unique identifiers for every OAuth app. It turns out we already have a mechanism for this: URLs! In this Open Web version of OAuth, client IDs can be the application's URL. For web-based apps, this is straightforward, as it's simply the website the app is running on. For native apps, this can be the application's "about" page.

    Application name and icon: Since the application's client ID is a URL, we can assume every application has a web page that talks about it, and treat that web page as the place the client defines its own metadata like name and icon. A simple way to accomplish this is with Microformats, so that the application's web page just needs to add a couple classes around the name and icon of the app. This is currently documented and implemented as the h-app microformat.

    Redirect URL registration: This one is a bit more subtle. The purpose of redirect URL registration is to prevent an attacker from tricking an authorization server into sending authorization codes to the attacker. This becomes especially important when we aren't using client secrets. The trick is that since client IDs are already URLs, we can shortcut the normal registration process by declaring a rule that redirect URLs have to be on the same domain as the client ID. This way, we can avoid a situation where an application claiming to be good.example.com sets a redirect URL to attacker.example.org and steals the authorization code. The only way to get the authorization code to attacker.example.org would be to set the client ID to that domain as well, which a user would hopefully notice.

    User Accounts

    There are two different situations to consider with regards to user accounts: authentication and authorization. Authentication is the process of proving the identity of the person signing in. Authorization is how an application obtains permission to do something to someone's account.

    When we talk about authentication, we are talking about wanting to allow an unknown user to identify themselves to the site they're logging in to. Common examples of this are using your email address as your identity to sign in to a website. You bring an existing identity (your email address) and then authenticate (usually by clicking a link that was sent to your email). The original version of OpenID was created to solve this problem on the web. People identified themselves with a URL, which they were able to prove they controlled using OpenID. This allows a new user to log in to a site without needing a prior relationship with the site.

    When we talk about authorization, the situation is subtly different. In this case, we're talking about a user of a website wanting to give permission to a third-party app to access some part of their account. We're very used to this pattern now, which is the typical OAuth use case of granting an application the ability to access your Google Calendar, or logging in to a third party Twitter app.

    Authorization: There isn't really a challenge unique OAuth on the Open Web with regards to authorization. Once the client registration problem is solved, everything else falls into place nicely. It is assumed that users are authorizing an application to access an account they already have, so the application will just end up with an access token that works with their existing account.

    Authentication: Where we need to define some new behavior is talking about authentication. In this case, we want users to be able to bring an existing identity and use it to log in to other places. This means we need a way to uniquely identify users across the entire web. We can again use URLs as the solution! Every user is identified by a URL. This can be a short URL like someone's domain name, e.g. https://aaronparecki.com/, or for a site with multiple users, can be a URL that contains a path specifying a particular user on the site, e.g. https://github.com/aaronpk. 

    Discovery

    With traditional OAuth services, discovery is not needed since the application author knows which OAuth server they're talking to before they start building the app. There is typically a "Sign in with ____" button in the application that begins the authorization process. In the case of using OAuth for authentication, the common pattern is to include buttons for several common "social login" providers such as Facebook, Google, Twitter and LinkedIn. Before the "social login" space essentially consolidated to these four, there were sometimes a dozen of these buttons on an application's login page, which eventually became known as the "NASCAR problem".

    In a world where every WordPress or Gitlab site is its own OAuth provider, there obviously can't be a button for each on a login screen. Instead, we need to find out from the user which server to use to authenticate them. 

    Since we previously stated that every user identifier is a URL, we can ask the user to enter their URL in the sign-in screen, and then fetch that URL and discover their authorization server from there.

    Once we've found the user's authorization endpoint, we can start a normal OAuth request and send them to their server to authenticate. When the server redirects back to the application, it will go and verify the authorization code with their authorization endpoint just like normally happens with OAuth.

    Knowing Who Logged In

    While knowing any user identity information is technically not part of OAuth, we do need the server to return a user identifier when using OAuth for authentication. In practice, most applications also want at least a unique user identifier in the authorization case as well.

    We've previously said that user identifiers are URLs, which solves the global user identity problem, and gives us a mechanism to discover the user's OAuth server. So all we need is a way to return this information to the application after the user has authenticated. 

    OAuth gives us an easy opportunity to return this to the application: in the access token response when the application sends the authorization code to obtain an access token. The server can at that point return the full user identifier of the user that logged in. As long as the domain name matches the domain that the user entered at the start, the application can consider it successful. This also gives the authorization server the opportunity to canonicalize the user identifier, correcting "http" to "https", or adding a path component to the user's profile URL.

    Let's do this!

    By now, hopefully you're thinking "this sounds great, Aaron, someone should write this up as a OAuth extension!" I'm glad you asked!

    The IndieAuth spec, an OAuth 2.0 extension

    Earlier this year, I wrote this all up as an extension to OAuth 2.0, called IndieAuth. IndieAuth encapsulates these small additions needed for OAuth 2.0 to work in the Open Web.

    Despite this spec being published in January, it has actually been implemented for several years before that. There are many implementations of this extension on the server side, everything from standalone authorization server projects, to a WordPress plugin, and it's even implemented by a commercial service, Micro.blog. As far as consuming apps, nearly every Micropub app has implemented this for logging users in.

    For further details on implementing this extension, there are several guides available depending on whether you're writing a client, a server, or just part of a server.

    • Authenticating users with IndieAuth
    • Obtaining an access token with IndieAuth
    • Creating an Authorization Endpoint
    • Creating a Token Endpoint

    There are a few existing open source projects you can use to get started if you don't want to write your own!

    • selfauth - a standalone authorization server using a simple password login
    • IndieAuth for WordPress - a plugin that turns your WordPress install into an OAuth 2.0 server
    • IndieAuth for Drupal - a Drupal plugin that provides a built-in OAuth 2.0 server
    • Acquiescence - an authorization endpoint written in Ruby that authenticates users via GitHub

    For further reading, check out the IndieAuth spec. Feel free to drop in to the IndieWeb chat if you'd like to talk about this, or you can reach me on Twitter or from my website.

    Portland, Oregon • 72°F
    #indieauth #oauth #oauth2 #indieweb
    Sat, Jul 7, 2018 9:30am -07:00
    82 likes 33 reposts 46 replies 75 mentions
    • Jamie Tanna
    • Jacky Alcine
    • Aaron Davis
    • Marty McGuire
    • Malcolm Blaney
    • Dominik Schwind
    • Dominik Schwind
    • Mario Peshev
    • agree, accept, acknowledge
    • David Bisset
    • Josh Marinacci
    • Pelle Wessman
    • Ben Werdmuller
    • Pascal Birchler
    • 𝚓𝚘𝚑𝚗 𝚐𝚛𝚊𝚟𝚘𝚒𝚜
    • DΛVID V3.0.5
    • Jim Luke really needs a new longer name
    • Ramon van Belzen
    • Chris Aldrich
    • Anant Malaviya
    • Jason Tucker 🌅
    • Joël Sepulveda Franusic
    • Christoph Herr
    • Rich
    • TomWithTheWeather
    • Common Garden
    • A Guy Called Kraft 🏅
    • Nate Barbettini
    • ChristinaBowen 🌍 📚
    • Robert DeVore
    • Carl Hancock 🚀
    • Evan Prodromou
    • Jim Pick
    • keybits
    • Erik Paulson
    • Hugh Isaacs II
    • Golden Unicorn
    • Paulus Schoutsen
    • Tom
    • donavon buss
    • Raghava Nellaturu
    • Nicholas Huber
    • Rakkesh-adevopsguy
    • Devin Price
    • Jerome Leclanche
    • Vedran Pavić
    • Marcelo Mello
    • marc thiele
    • Marshall
    • Karl
    • Nguyen Tien Dung
    • Ricardo Mendes
    • Matthias Pfefferle
    • AJ Jordan #neveragain
    • Sören Wrede
    • Monsieur le 𐌕𐌊 🔨 🦊 ✒️
    • John Maeda
    • Toshiyuki Nagashima
    • We recovered your file but some links are broken
    • Glenn Otis Brown
    • jambay
    • harper 🤯
    • Heinz Wittenbrink
    • gkamp
    • Sören Wrede
    • Kamil Chmielewski
    • Hal Heisler
    • Beyond Bridges
    • Tim Bouma
    • Orie Steele
    • Dmitri Shuralyov
    • Anil Kommareddi
    • Erik Paulson
    • Jamie Tanna | www.jvt.me
    • Sriram Karra
    • Dmitri Shuralyov ⏳
    • Jimmy Zelinskie
    • Raven Kavoori
    • Andrew Hodges
    • @goto
    • ˗ˏˋ Mark Foster ˎˊ˗
    • Jacky Alcine
    • Orie Steele
    • Beyond Bridges
    • Remco van Bree
    • IndieAuth
    • Bjoern Stuetz
    • harper 🤯
    • Gilles Demarty
    • John Maeda
    • H4ndy
    • OAuth 2.0
    • Silvio Porcellana
    • Ricardo Mendes
    • Marshall
    • Christian Seel
    • marc thiele
    • John Allsopp
    • Marcelo Mello
    • Kevin Marks
    • Raghava Nellaturu
    • Golden Unicorn
    • Jim Pick
    • Sven
    • Florian Weil
    • Carl Hancock 🚀
    • ChristinaBowen🌍📚
    • Michael Bishop
    • Christoph Herr
    • Ben Werdmuller
    • Jason Tucker 🌅
    • Nicholas Huber
    • David Bisset
    • Mario Peshev
    • ˗ˏˋ Mark Foster ˎˊ˗ twitter.com/mfosterio
      Awesome 👏 I look forward to looking through it
      Tue, Oct 18, 2022 2:21am +00:00 (via brid.gy)
    • Aaron Parecki aaronparecki.com
      I can't believe this post is 4 years old now, but this is a good description of the high level goals, and how to get started! https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web
      Mon, Oct 17, 2022 7:07pm -07:00
    • @goto twitter.com/samuelgoto
      Will read more carefully tomorrow.
      Thu, Oct 7, 2021 2:53am +00:00 (via brid.gy)
    • Aaron Parecki aaronparecki.com
      Dynamic Client Registration, but afaik no major provider supports this because they *want* RPs to have a pre-established relationship.

      We built IndieAuth to avoid the need for any client registration and it works great for that use case: https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web
      Wed, Oct 6, 2021 7:49pm -07:00
    • Jimmy Zelinskie twitter.com/jimmyzelinskie
      TIL! Looks like there's a great community around it all, too!
      Thu, May 13, 2021 1:42am +00:00 (via brid.gy)
    • Aaron Parecki aaronparecki.com
      my own website https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web
      Wed, May 12, 2021 6:15pm -07:00
    • David Crawshaw twitter.com/davidcrawshaw
      I’m a little confused, how do chickens identify me? Do we paint the eggs?
      Fri, Apr 10, 2020 10:02pm +00:00 (via brid-gy.appspot.com)
    • apenwarr twitter.com/apenwarr
      If you are the chicken, or the egg, you can eliminate a chicken and egg problem by building some tech. But in a distributed identity system you’re just a farmer who doesn’t yet have any chickens or eggs or a place to get them.
      Fri, Apr 10, 2020 9:55pm +00:00 (via brid-gy.appspot.com)
    • apenwarr twitter.com/apenwarr
      1. Big provider builds popular service (Facebook, Gmail) 2. Apps want access to data in big provider in exchange for your privacy 3. Big provider offers “Login with big provider!” buttons and API 4. Apps adopt buttons. Demand existed on both sides, and the bigcos invested first.
      Fri, Apr 10, 2020 9:53pm +00:00 (via brid-gy.appspot.com)
    • Alexey Shamrin twitter.com/megaflop
      Do you have an idea on how did oauth2 find "a way around the chicken and egg problem"?
      Fri, Apr 10, 2020 9:22pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki aaronparecki.com
      https://indieweb.org/How_is_IndieAuth_different_from_OpenID_Connect

      and more background here:

      https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web
      Fri, Apr 10, 2020 1:26pm -07:00
    • apenwarr twitter.com/apenwarr
      There’s an apt analogy there. Think how many people are capable of deploying “WireGuard” (or IPv6) vs how many can install “tailscale.” Orders of magnitude! It’s not because we have tons of money (we don’t). It’s because we really really hate chicken and egg problems.
      Fri, Apr 10, 2020 8:04pm +00:00 (via brid-gy.appspot.com)
    • apenwarr twitter.com/apenwarr
      I don’t want it to be “possible” though. That’s such a low bar. I want real people to actually be able to use it, internet wide. Oauth2 won because it found a way around the chicken and egg problem. Doesn’t matter that it sucks. That didn’t affect its adoption.
      Fri, Apr 10, 2020 7:18pm +00:00 (via brid-gy.appspot.com)
    • Dmitri Shuralyov twitter.com/dmitshur
      Imagine you want to share the invite list to a party with a new acquaintance. Would you be more comfortable sharing 50 identifiers if they're people's personal email addresses, or their personal URLs?
      Fri, Apr 10, 2020 6:33pm +00:00 (via brid-gy.appspot.com)
    • Dmitri Shuralyov twitter.com/dmitshur
      It's not impossible to use email address as identifier, many sites do that. I think URLs have a property that makes them a better identifier: they don't forcibly bundle a means of contact (or spam) into the identifier itself. People can still volunteer it at the given URL.
      Fri, Apr 10, 2020 6:32pm +00:00 (via brid-gy.appspot.com)
    • Erik Paulson twitter.com/erik_paulson
      That's where Brad's webfistbump comes in handy: onebigfluke.com/2013/06/bootst…
      Fri, Apr 10, 2020 4:23pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki twitter.com/aaronpk
      That hasn't been true for years. Browser vendors are pushing new features that they want or think will be helpful. Here are some examples: github.com/WebKit/explain… See also all the Twitter threads of people getting angry that Chrome implements something before it's standardized.
      Fri, Apr 10, 2020 4:16pm +00:00 (via brid-gy.appspot.com)
    • apenwarr twitter.com/apenwarr
      That creates a chicken-and-egg problem: browsers won't adopt it unless it's popular. It won't be popular unless browsers adopt it. Chicken-and-egg problems create usually-insurmountable barriers to adoption.
      Fri, Apr 10, 2020 4:12pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki twitter.com/aaronpk
      Why is entering an email address less work than entering a URL? What I'm saying is browsers could have an "account chooser" UI to save a URL and enter it in the login field.
      Fri, Apr 10, 2020 3:39pm +00:00 (via brid-gy.appspot.com)
    • apenwarr twitter.com/apenwarr
      If login were automated like credit card forms, it would fail about 50% of the time and need me to enter a page full of unnecessary personal information by hand. That’s not a good model. Why not let me enter an email address instead? That has a domain in it.
      Fri, Apr 10, 2020 3:38pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki twitter.com/aaronpk
      That problem can only be solved by browsers. Right now, most of the time the browser autocompletes my URL because I've entered it enough, so I'm not actually typing it out. With any amount of thought, browsers could automate that just like credit card payment forms.
      Fri, Apr 10, 2020 3:36pm +00:00 (via brid-gy.appspot.com)
    • apenwarr twitter.com/apenwarr
      Neat! Seems to still have the URL pasting problem though. How is that UX different from openid, which users didn’t like?
      Fri, Apr 10, 2020 3:34pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki aaronparecki.com
      Here's some background on why this solves the particular problem you're talking about in this thread: https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web
      Fri, Apr 10, 2020 6:41am -07:00
    • Aaron Parecki twitter.com/aaronpk
      Doesn't have to be a top level domain, just a URL. Both users and apps are identified by URLs. I do think there's value in just client IDs being URLs in some cases, demonstrated by the fact that Home Assistant picked out just that part of the spec for their OAuth API.
      Thu, Jan 23, 2020 12:21am +00:00 (via brid-gy.appspot.com)
    • Anders Pitman twitter.com/anderspitman
      Ahhh that's what IndieAuth is. I was reading up on it, but didn't see any information about the spec on the website. I think my main hesitance towards it is the use of domains. I just don't see the average user buying their own domain. Emails seems more realistic for unique IDs.
      Thu, Jan 23, 2020 12:18am +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki aaronparecki.com
      You're not wrong.

      You may want to give this a read, which addresses that exact problem: https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web

      We use this a lot for the case you're talking about, where app developers have no relationship with the OAuth service the app is talking to.
      Wed, Jan 22, 2020 3:18pm -08:00
    • Brad Fitzpatrick twitter.com/bradfitz
      Sure!
      Thu, Oct 10, 2019 2:29am +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki twitter.com/aaronpk
      oh absolutely it was! speaking of which, I've been thinking about putting together a podcast and/or video series where I interview folks like you involved in the early days of this stuff. would you be interested?
      Thu, Oct 10, 2019 2:23am +00:00 (via brid-gy.appspot.com)
    • Matthew Dempsky twitter.com/mdempsky
      OpenID 1 was insufficiently monetizable for the free marketplace of ideas. 🤪
      Thu, Oct 10, 2019 1:44am +00:00 (via brid-gy.appspot.com)
    • Brad Fitzpatrick twitter.com/bradfitz
      My OpenID ("1") was ahead of its time I guess. 😂😜
      Thu, Oct 10, 2019 1:29am +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki aaronparecki.com
      Most OpenID Connect providers require pre-registration of clients, which kind of defeats the purpose. Here's some more background: https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web
      Wed, Oct 9, 2019 9:24pm -04:00
    • Aaron Parecki aaronparecki.com
      Got another one for your slides!

      ➡ https://indieauth.net
      ➡ https://www.w3.org/TR/indieauth/

      I'll be doing a demo at demo hour tomorrow at #IIW if you'd like to learn more!

      Read more: https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web
      Tue, Oct 23, 2018 12:41pm -07:00
    • Aaron Parecki aaronparecki.com
      If you read it closely enough, it doesn't actually require secrets! Of course you need to plug up a few holes that the secret gave you, but that can be done with PKCE.

      Alternately (or in addition to), with a few additional constraints, you can end up with a profile of OAuth that works perfectly in cases like Mastodon/Pleroma where you can't have developers register for API keys on every instance.

      ➡ https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web
      Tue, Aug 14, 2018 11:14am -07:00
    • ˗ˏˋ wakest ˎˊ˗ mastodon.social/@wakest

      @paulfree14 @aaronpk @xuv open this link in a browser you can see aaron and julien chatting
      "https://mastodon.social/@xuv/100335357762804609"

      Fri, Jul 13, 2018 3:12pm +00:00
    • ˗ˏˋ wakest ˎˊ˗ mastodon.social/@wakest

      @paulfree14 @aaronpk @xuv so is this all federating correctly now? implemented into #p3k?

      Fri, Jul 13, 2018 3:07pm +00:00
    • David Shanske david.shanske.com
      IndieAuth, the extension to OAuth 2.0, was developed by Aaron Parecki and implemented by multiple people  in the IndieWeb community, including myself.

      The problem has been that people conflated it with the service Aaron created as a reference implementation, which implemented IndieAuth for people who didn’t have it by using the OAuth services of sites like Twitter and Github to bootstrap the service.

      Aaron succeeds here in finally conveying a point it took me a long time to understand, and partially only by reading and implementing one of these.

      Was pleased to see the founder of Home Assistant, a product I use, tweeting that he would adopt this in that product. Looking forward to seeing what people come up with.

      Sun, Jul 8, 2018 11:12pm -04:00
    • Aaron Parecki aaronparecki.com
      Here's a post I just wrote explaining IndieAuth and how it solves a number of the challenges with OAuth in this context.

      https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web
      Sat, Jul 7, 2018 8:54pm -07:00
    • Aaron Parecki aaronparecki.com
      indieweb.org/indieauth-vs-o…
      Sat, Jul 7, 2018 10:18pm +00:00 (via brid-gy.appspot.com)
    • Hugh Isaacs II lucid00.com
      Why not just use OpenID Connect?

      openid.net/connect/
      Sat, Jul 7, 2018 10:15pm +00:00 (via brid-gy.appspot.com)
    • DΛVID V3.0.5 davidwolfpaw.com
      Similar issue for authentication: I want to jump into the convos on discuss, but I want to come in with something better than "This is broken on my site and I don't know why" 😀
      Sat, Jul 7, 2018 5:31pm +00:00 (via brid-gy.appspot.com)
    • DΛVID V3.0.5 davidwolfpaw.com
      Agreed, it'd be nice for them to include it in a way that doesn't confuse people, like those fake download now buttons on scammy sites.

      I watched your IWC talks on YouTube earlier this week and I'm looking forward to trying the hosted Aperture. Just need to fix some auth bugs.
      Sat, Jul 7, 2018 5:22pm +00:00 (via brid-gy.appspot.com)
    • Josh Pollock JoshPress.net
      Thanks for the link, I'm going to give it a read today.

      And yes, it is annoying there is no standard way to show a plug-in's GitHub link.
      Sat, Jul 7, 2018 5:02pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki aaronparecki.com
      Yep! github.com/indieweb/wordp…

      That's annoying that wordpress.org doesn't have a link to the GitHub source.
      Sat, Jul 7, 2018 4:47pm +00:00 (via brid-gy.appspot.com)
    • Josh Pollock JoshPress.net
      Wow, really interesting.

      Is this plugin on Github? wordpress.org/plugins/indiea…
      Sat, Jul 7, 2018 4:45pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki aaronparecki.com
      Alright, I finished my post explaining the details of this! Have a look ➡️ https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web
      Sat, Jul 7, 2018 9:42am -07:00
    • Anonymous
      Neat.
      Tue, May 26, 2020 11:53am -07:00

    Other Mentions

    • gRegor Morrill gregorlove.com
      IndieAuth for ProcessWire Development
      Thu, Oct 7, 2021 8:54pm -07:00
    • Aaron Parecki aaronparecki.com
      How to Sign Users In with IndieAuth
      Tue, Apr 13, 2021 9:15pm -07:00
    • Aaron Parecki aaronparecki.com
      IndieAuth Spec Updates 2020
      Thu, Dec 3, 2020 6:55pm -08:00
    • Jack Jamieson jackjamieson.net
      Presentation notes from Civic Tech TO Hacknight on Jan 7 2020. “IndieWeb: Empowering individuals through collective design”
      Wed, Jan 8, 2020 3:07pm -05:00
    • Tantek Çelik tantek.com
      #Redecentralize 2019 Session: IndieWeb Decentralized Standards and Methods
      Mon, Oct 28, 2019 7:00pm -07:00
    • Frank Meeuwsen diggingthedigital.com/author/frank-meeuwsen

      Dit is het tweede artikel in een serie (hier is deel 1) waarin ik je wil uitleggen hoe je met een WordPress site gebruik kunt maken van de diverse IndieWeb plugins. Zoals het kunnen inloggen op andere sites met je eigen domeinnaam, reageren op andere sites met je eigen blog en nieuwe artikelen plaatsen met andere applicaties.

      In dit artikel leer je hoe je met een WordPress plugin een identiteitsprovider maakt van je eigen site.

      Wat is IndieAuth?

      IndieAuth is een protocol wat verder bouwt op het bestaande authorisatie protocol Oauth 2.0. Voor dit artikel wil ik niet te diep in de achterliggende technologie duiken maar je uitleggen hoe jij het zelf kunt gebruiken op je WordPress site. Wil je meer weten over de exacte werking van Oauth en IndieAuth dan kan ik je het uitstekende artikel “OAuth for the Open Web” van Aaron Parecki aanbevelen, de architect van IndieAuth.

      Wat IndieAuth doet doet is van je eigen site een zogenaamde identiteitsprovider maken. Een plek waarmee je kunt inloggen op andere sites. Je kunt dan gebruik maken van een webdienst zonder een nieuwe loginnaam en wachtwoord aan te maken of gebruik te moeten maken van een sociaal netwerk om in te loggen.

      De dienst moet natuurlijk wel IndieAuth ondersteunen. Dat is op dit moment nog niet heel wijdverspreid, anders dan de diverse IndieWeb diensten die ik later zal bespreken.

      IndieAuth maakt gebruik van bestaande webtechnologie en heeft een URL als identificatiemiddel. Dit maakt het breed bruikbaar op het web van vandaag en kan snel worden geïntegreerd in bestaande sites en platformen. Een voorbeeld kun je al vinden bij IndieLogin, inclusief uitleg hoe dit bij bestaande diensten kan worden ingebouwd.

      Waarom is dit handig?

      Je bent vast en zeker wel eens bij een andere site ingelogd met je Facebook account of je Twitter profiel. Wat je dan eigenlijk doet is jezelf afhankelijk maken van die derde partij om jouw inlog te regelen. Vaak zullen het diensten zijn die niet heel kritisch zijn voor je dagelijkse bestaan, maar toch, op elk moment kan een dienst besluiten om die inlogservice te stoppen, de voorwaarden eenzijdig te wijzigen of om meer van je persoonlijke data van het netwerk beschikbaar te stellen aan de eigenaar van de dienst.

      Op de IndieWeb Wiki staat het fraai uitgelegd: “IndieAuth is part of taking back control of your online identity. Instead of logging in to websites as “you on Twitter” or “you on Facebook”, you should be able to log in as just “you”. ”

      Tevens kan het zorgen voor het NASCAR-probleem. Net als bij de race-auto’s worden login pagina’s een kakofonie van logo’s. Niet alleen is het visueel onaantrekkelijk, het zorgt er voor dat je als gebruiker begint te twijfelen met welke dienst je oorspronkelijk was ingelogd.

      Hoe installeer je de WordPress IndieAuth plugin?

      Als je de IndieWeb plugin al hebt geïnstalleerd kun je met een klik de IndieAuth plugin installeren. In je WordPress beheer ga je naar IndieWeb > Extensions en installeer je IndieAuth. Natuurlijk kun je de plugin ook apart installeren via de WordPress Plugins schermen.

      Wat stel je in?

      Na installatie en activatie vind je onder het IndieWeb logo in je WP admin een nieuw onderdeel “IndieAuth”. Hier zie je de zogenaamde endpoints genoemd. Dit zijn de plaatsen waar andere applicaties gaan kijken of jouw inlog klopt als je IndieAuth gebruikt en eventueel een extra authorisatie code krijgen om meer rechten te krijgen op je site. Je ziet dat dit endpoint op je eigen domein is.

      Web Sign-in

      De optie Web Sign-In is vooral interessant als je met meerdere auteurs een blog hebt en deze auteurs eveneens een eigen site hebben met IndieAuth. (Volg je het nog?) De auteur kan dan bij jou inloggen via een eigen domein in plaats van een login en wachtwoord combinatie. Hiervoor is het nodig dat in het profiel van de auteur de URL van de eigen site staat. Hierna kan je via de knop Web Sign-In in het loginvenster je eigen domein invullen, je gaat dan naar je eigen site om akkoord te geven en je bent ingelogd.

      Het interessante is dat de andere auteur niet per se een WordPress site hoeft te hebben. Als je maar IndieAuth ondersteunt dan kun je via je eigen site inloggen. Zo heb je dus geen lock-in voor een bepaald CMS of platform.

      De optie set user to represent site URL is handig als je een site hebt met meer auteurs. Met deze optie geef je aan wie is ingelogd als je de URL van de site gebruikt. Als je met meerdere auteurs bent, kan elke auteur met zijn eigen auteurs-URL inloggen. In het geval van WordPress is dat https://url/author/auteursnaam. Op mijn testsite is het bijvoorbeeld https://frankmeeuwsen.xyz/author/frankmeeuwsen/

      Hoe test je de plugin?

      Net als in ons vorige artikel gaan we weer inloggen bij de IndieWeb Wiki. Deze stappen zijn allemaal hetzelfde. Op de IndieWeb wiki, klik op login rechtsboven.

      Op de volgende pagina vul je wederom je eigen domeinnaam in. Maar je zult nu zien dat je niet naar Twitter gaat om je te identificeren. Je krijgt nu een scherm van je WordPress site die je vraagt of je inderdaad wilt inloggen. Klik op Authenticate en je gaat direct terug naar de wiki en bent ingelogd.

      Andere voorbeelden van deze login zullen we zien bij de installatie en gebruik van Micropub apps, waarmee je op je eigen site kunt publiceren, en indiereaders, die het mogelijk maken om je RSS-abonnementen op je eigen domein te beheren en te gebruiken.

      Mogelijke problemen

      Er zijn gevallen bekend (met name bij Dreamhost) dat de IndieAuth plugin niet goed werkt omdat een specifiek deel van de communicatie tussen plugin en server wordt tegengehouden door de hostingprovider. Dit gaat om de Authorization header. Als je het idee hebt dat dit bij jou het geval is, dan zul je dit met je hostingprovider moeten oplossen. In de IndieWeb-WordPress chatkanalen zijn altijd mensen die je kunnen helpen om de juiste vraag te stellen voor je hostingprovider.

      Hoe nu verder?

      Zoals gezegd in het begin, er zijn nog niet veel diensten die IndieAuth ondersteunen. De diensten díe het ondersteunen, bieden vaak de mogelijkheid om ook iets op je site te publiceren. Dat gebeurt via het webprotocol Micropub. Daarom kan ik je aanraden om snel door te gaan met de installatie van een Micropub plugin en werkelijk te ervaren hoe identificatie als de “echte jij” je helpt om je eigen plek op het web mooier te maken.

      Headerfoto: Jason Pofahl

      https://diggingthedigital.com/indieauth-wordpress/

      Wed, Oct 23, 2019 5:26pm +00:00
    • shrysr s.ragavan.co/2019/08/a-deeper-evaluation-of-indiewebifying-my-website
      A deeper evaluation of indiewebifying my website
      Sun, Aug 18, 2019 9:06pm +00:00
    • Luciano Mammino twitter.com/loige
      OAuth for the Open Web • Aaron Parecki aaronparecki.com/2018/07/07/7/o…
      Wed, Jul 17, 2019 1:45pm +00:00 (via brid-gy.appspot.com)
    • Jacky Alcine v2.jacky.wtf
      Wanna Federate the Web? Stop Using Silos for Signing In
      Sat, Mar 2, 2019 2:03pm -08:00
    • Aaron Parecki aaronparecki.com
      IndieAuth: One Year Later
      Wed, Jan 23, 2019 6:51pm -08:00
    • Romain Sertelon romain.sertelon.fr
      OAuth for the Open Web • Aaron Parecki aaronparecki.com/2018/07/07/7/o…
      Sat, Oct 27, 2018 8:25am +00:00 (via brid-gy.appspot.com)
    • Stéphane Edgard twitter.com/StephaneEdgard
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o… #Oauth #Web
      Sat, Oct 13, 2018 6:07pm +00:00 (via brid-gy.appspot.com)
    • Greg unrelenting.technology

      Building a reader on your website is not too hard when you already have webmention processing (so you have code to parse entries and whatnot). So I kinda have one now. There’s even some Microsub support, but that’s not complete yet.

      There’s a funny bug in my feed fetching though: OAuth for the open web is always on top of the feed (its published date gets set to feed fetch time every time) :D

      Sat, Jul 21, 2018 1:20am -07:00
    • Kevin Decherf kdecherf.com
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o…
      Wed, Jul 18, 2018 2:42pm +00:00 (via brid-gy.appspot.com)
    • boffosocko.com
      Episode 8: Interflux

      If possible, click to play, otherwise your browser may be unable to play this audio file.
      Running time: 1h 23m 35s | Download (26.2 MB) | Subscribe by RSS

      Summary: David Shanske and I recap the recent IndieWeb Summit 2018 in Portland Oregon including recent developments like microsub, readers, Vouch, and even the comeback of webrings!

      Huffduff this Episode

      Shownotes

      Recap of IndieWeb Summit 2018

      Vouch(🎧 00:7:13)

      • Plugin for WordPress (pull request pending)
      • David’s Post about Brainstorming on Implementing Vouch, Following and Blogrolls
        • Refbacks (🎧 00:12:26)
          • Why Refback Still Matters
          • Plugin for WordPress (GitHub)
        • Colin Walker mini-plugins (🎧 00:22:44)
        • Micropub plugin for WordPress (🎧 00:23:28)
          • Post Kinds, Micropub, and rendering (🎧 00:28:30)

      The Year of the Reader (🎧 00:38:32)

      • Granary
      • Gordon Korman – Son of Interflux (🎧 00:49:00)
      • Microsub
        • Server
        • Clients
      • Gregor Morrill’s IndieBookClub.biz (🎧 00:57:47)

      Webrings (🎧 00:59:03)

      • Indiewebring
      • WordPress webring

      Aaron Parecki posts (🎧 1:12:10)

      • Sending Your First Webmention
      • OAuth for the Open Web
      Syndicated copies to:
      Mon, Jul 16, 2018 8:10am -07:00
    • David Shanske david.shanske.com
      An Indieweb Podcast: Episode 8 – Interflux
      Mon, Jul 16, 2018 8:09am -04:00
    • Victor David twitter.com/victordavid252
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o…
      Wed, Jul 11, 2018 10:24am +00:00 (via brid-gy.appspot.com)
    • Jacky jacky.seezone.net
      OAuth for the Open Web • Aaron Parecki aaronparecki.com/2018/07/07/7/o…
      Wed, Jul 11, 2018 7:33am +00:00 (via brid-gy.appspot.com)
    • Dejliglama www.dejliglama.dk
      Like the thought of owning my own online identity via a URL endpoint.. This could mean centralized personal control of you data down the line. aaronparecki.com/2018/07/07/7/o…
      Tue, Jul 10, 2018 7:38pm +00:00 (via brid-gy.appspot.com)
    • webuproar 🤖 webuproar.com
      📢 aaronparecki.com/2018/07/07/7/o… OAuth for the Open Web
      Tue, Jul 10, 2018 8:00am +00:00 (via brid-gy.appspot.com)
    • subterraneanwebZ wzm.me
      OAuth for the Open Web #IndieWeb via o.wzm.me/river/v/87913 aaronparecki.com/2018/07/07/7/o…
      Tue, Jul 10, 2018 12:21am +00:00 (via brid-gy.appspot.com)
    • OktaDev developer.okta.com
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o… -- A fantastic article by our very own @aaronpk.
      Tue, Jul 10, 2018 12:19am +00:00 (via brid-gy.appspot.com)
    • HsiangHui www.linkedin.com/in/hsianghui
      OAuth for the Open Web #oauth aaronparecki.com/2018/07/07/7/o…
      Mon, Jul 9, 2018 11:25pm +00:00 (via brid-gy.appspot.com)
    • Randall Degges www.rdegges.com
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o… (great article by my buddy @aaronpk)
      Mon, Jul 9, 2018 11:14pm +00:00 (via brid-gy.appspot.com)
    • Tony Finch dotat.at
      aaronparecki.com/2018/07/07/7/o… - OAuth for the Open Web.
      Sun, Jul 8, 2018 4:43pm +00:00 (via brid-gy.appspot.com)
    • #Ch4rma Ch4rMa.net
      #OAuth for the Open Web aaronparecki.com/2018/07/07/7/o…
      Sun, Jul 8, 2018 2:27pm +00:00 (via brid-gy.appspot.com)
    • Yan Avery yanavery.com
      #OAuth for the Open Web (#iam) - aaronparecki.com/2018/07/07/7/o…
      Sun, Jul 8, 2018 1:09pm +00:00 (via brid-gy.appspot.com)
    • @baldur@toot.cafe www.baldurbjarnason.com
      “OAuth for the Open Web”
      aaronparecki.com/2018/07/07/7/o…
      Sun, Jul 8, 2018 1:02pm +00:00 (via brid-gy.appspot.com)
    • Hacker News Posts justintranjt.github.io/projects/2017-08-29-hacker-news-twitter-bot
      OAuth for the Open Web
      Link: aaronparecki.com/2018/07/07/7/o…
      Cmts: news.ycombinator.com/item?id=174806…
      Sun, Jul 8, 2018 12:03pm +00:00 (via brid-gy.appspot.com)
    • Hacker News Feed news.ycombinator.com
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o…
      Sun, Jul 8, 2018 11:28am +00:00 (via brid-gy.appspot.com)
    • Jose Jaimes twitter.com/the_mantese
      aaronparecki.com/2018/07/07/7/o…
      Sun, Jul 8, 2018 11:06am +00:00 (via brid-gy.appspot.com)
    • Hacker News 100 twitter.com/newsyc100
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o… (bit.ly/2KWQjP7)
      Sun, Jul 8, 2018 10:59am +00:00 (via brid-gy.appspot.com)
    • Davy Duboy www.malt.fr/profile/davyduboy
      ✅ [#Wordpress] OAuth for the Open Web #CMS
      via Aaronparecki.com
      aaronparecki.com/2018/07/07/7/o…
      Sun, Jul 8, 2018 10:15am +00:00 (via brid-gy.appspot.com)
    • Hacker News 100+ news.ycombinator.com
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o…
      Sun, Jul 8, 2018 9:02am +00:00 (via brid-gy.appspot.com)
    • Hacker News 100 hnapp.com/?q=score%3E100
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o…
      Sun, Jul 8, 2018 9:01am +00:00 (via brid-gy.appspot.com)
    • M157q News RSS github.com/M157q/py-feedr
      OAuth for the Open Web
      aaronparecki.com/2018/07/07/7/o…
      Article URL: aaronparecki.com/2018/07/07/7/o… URL: https:
      Sun, Jul 8, 2018 9:00am +00:00 (via brid-gy.appspot.com)
    • Nils Vilhemsson twitter.com/NilsVilhemsson
      nyligen läst; OAuth for the Open Web

      aaronparecki.com/2018/07/07/7/o…
      Sun, Jul 8, 2018 8:42am +00:00 (via brid-gy.appspot.com)
    • Neil McGillivray www.mcgee.se
      Recently read this article; OAuth for the Open Web
      aaronparecki.com/2018/07/07/7/o…
      Sun, Jul 8, 2018 8:37am +00:00 (via brid-gy.appspot.com)
    • Rebel Dev News twitter.com/RebelDevNews
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o…
      Sun, Jul 8, 2018 7:28am +00:00 (via brid-gy.appspot.com)
    • Keep Posts twitter.com/keep_posts
      RT newsycombinator "OAuth for the Open Web aaronparecki.com/2018/07/07/7/o…"
      Sun, Jul 8, 2018 7:03am +00:00 (via brid-gy.appspot.com)
    • Jerome Leclanche leclan.ch
      This is so exciting!! @aaronpk is the perfect person to do this. I remember discussing this extensively with @callahad & co when we started with LetsAuth (now known as Portier)
      Sun, Jul 8, 2018 5:48am +00:00 (via brid-gy.appspot.com)
    • Flavio Aiello flavio.aiello.ch
      Thoughts about #OAuth
      aaronparecki.com/2018/07/07/7/o…
      Sun, Jul 8, 2018 5:10am +00:00 (via brid-gy.appspot.com)
    • Hacker News Robot hackernewsrobot.com
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o…
      Sun, Jul 8, 2018 2:42am +00:00 (via brid-gy.appspot.com)
    • Hacker News 50 twitter.com/betterhn50
      52 – OAuth for the Open Web aaronparecki.com/2018/07/07/7/o…
      Sun, Jul 8, 2018 2:14am +00:00 (via brid-gy.appspot.com)
    • Hacker News 50 twitter.com/newsyc50
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o… (bit.ly/2KWQjP7)
      Sun, Jul 8, 2018 2:08am +00:00 (via brid-gy.appspot.com)
    • Jose Jaimes twitter.com/the_mantese
      aaronparecki.com/2018/07/07/7/o…
      Sun, Jul 8, 2018 2:06am +00:00 (via brid-gy.appspot.com)
    • Matt Carroll matthewayne.com
      IndieAuth: Eliminate registration for OAuth APIs and use URLs for identity & auth: aaronparecki.com/2018/07/07/7/o…
      Sun, Jul 8, 2018 1:09am +00:00 (via brid-gy.appspot.com)
    • Víctor Ruiz twitter.com/victor_ruiz
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o…
      Sun, Jul 8, 2018 12:29am +00:00 (via brid-gy.appspot.com)
    • Mangesh Tekale twitter.com/_mangesh_tekale
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o…
      Sun, Jul 8, 2018 12:13am +00:00 (via brid-gy.appspot.com)
    • Tridz tridz.com
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o…
      Sun, Jul 8, 2018 12:09am +00:00 (via brid-gy.appspot.com)
    • HN Responder github.com/hemartin/hn-responder
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o… news.ycombinator.com/item?id=174806…
      Sun, Jul 8, 2018 12:02am +00:00 (via brid-gy.appspot.com)
    • Hacker News news.ycombinator.com
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o…
      Sun, Jul 8, 2018 12:02am +00:00 (via brid-gy.appspot.com)
    • Hacker News fb.me/hnbot
      OAuth for the Open Web
      (Discussion on HN - bit.ly/2NvKXMp) aaronparecki.com/2018/07/07/7/o…
      Sat, Jul 7, 2018 11:50pm +00:00 (via brid-gy.appspot.com)
    • Hacker News Posts justintranjt.github.io/projects/2017-08-29-hacker-news-twitter-bot
      OAuth for the Open Web
      Link: aaronparecki.com/2018/07/07/7/o…
      Cmts: news.ycombinator.com/item?id=174806…
      Sat, Jul 7, 2018 11:40pm +00:00 (via brid-gy.appspot.com)
    • Hacker News 20 twitter.com/newsyc20
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o… (bit.ly/2KWQjP7)
      Sat, Jul 7, 2018 11:37pm +00:00 (via brid-gy.appspot.com)
    • メリーカオスマス twitter.com/_7m26
      OAuth for the Open Web
      aaronparecki.com/2018/07/07/7/o…
      Sat, Jul 7, 2018 11:35pm +00:00 (via brid-gy.appspot.com)
    • Paulus Schoutsen home-assistant.io
      The IndieAuth extension to OAuth2 is perfect. I will adopt this in @home_assistant to make it easier for people to build apps against local instances.
      Sat, Jul 7, 2018 11:33pm +00:00 (via brid-gy.appspot.com)
    • Cole twitter.com/colemickens
      aaronparecki.com/2018/07/07/7/o…

      Why do I need IndieAuth when OpenID Connect is around and already implemented in lots of places? It even has discovery via webfinger too?
      Sat, Jul 7, 2018 11:23pm +00:00 (via brid-gy.appspot.com)
    • Bootstrap.Tokyo bootstrap.tokyo
      OAuthでは、クライアント登録によりいくつかの具体的なことがわかります:

          クライアントIDと呼ばれるOAuthプロセスを通じてアプリを識別するために使用される一意のIDを提供します

        ログイン時に表示されるアプリの名前とアイコンを入... aaronparecki.com/2018/07/07/7/o…
      Sat, Jul 7, 2018 10:58pm +00:00 (via brid-gy.appspot.com)
    • Abraham Williams abrah.am
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o…
      Sat, Jul 7, 2018 10:56pm +00:00 (via brid-gy.appspot.com)
    • Hacker News news.ycombinator.com
      OAuth for the Open Web: aaronparecki.com/2018/07/07/7/o… Comments: news.ycombinator.com/item?id=174806…
      Sat, Jul 7, 2018 10:10pm +00:00 (via brid-gy.appspot.com)
    • Hacker News www.facebook.com/hn.hiren.news
      OAuth for the Open Web : aaronparecki.com/2018/07/07/7/o… Comments: news.ycombinator.com/item?id=174806…
      Sat, Jul 7, 2018 10:10pm +00:00 (via brid-gy.appspot.com)
    • Yann Esposito yannesposito.com
      OAuth for the Open Web • Aaron Parecki aaronparecki.com/2018/07/07/7/o…
      Sat, Jul 7, 2018 10:08pm +00:00 (via brid-gy.appspot.com)
    • Angsuman Chakraborty www.facebook.com/angsuman.chakraborty
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o…
      Sat, Jul 7, 2018 9:59pm +00:00 (via brid-gy.appspot.com)
    • HN Front Pager news.ycombinator.com
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o… (cmts news.ycombinator.com/item?id=174806…)
      Sat, Jul 7, 2018 9:44pm +00:00 (via brid-gy.appspot.com)
    • HN Front Page twitter.com/hn_frontpage
      OAuth for the Open Web
      L: aaronparecki.com/2018/07/07/7/o…
      C: news.ycombinator.com/item?id=174806…
      Sat, Jul 7, 2018 9:43pm +00:00 (via brid-gy.appspot.com)
    • Chris Aldrich www.boffosocko.com
      👓 OAuth for the Open Web | Aaron Parecki
      Sat, Jul 7, 2018 2:43pm -07:00
    • buovjaga news.ycombinator.com/user?id=buovjaga
      OAuth for the Open Web
      Sat, Jul 7, 2018 9:24pm +00:00
    • Manton Reece www.manton.org
      If you’re familiar with OAuth, this introduction to IndieAuth walks through the process of how auth for the open web works. Really happy that Micro.blog supports this now. aaronparecki.com/2018/07/07/7/o…
      Sat, Jul 7, 2018 8:42pm +00:00 (via brid-gy.appspot.com)
    • Josh Pollock JoshPress.net
      OAuth for the Open Web aaronparecki.com/2018/07/07/7/o… @aaronpk
      Sat, Jul 7, 2018 4:46pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki aaronparecki.com
      OAuth for the Open Web

      A little about the challenges of using #OAuth2 in a distributed setting for WordPress, GitLab, Mastodon, and more. Spoiler: it's not all bad news. Let's make this happen!

      https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web
      Sat, Jul 7, 2018 9:41am -07:00
    • www.masgbox.com
      Sun, Jul 8, 2018 1:08am -07:00
    • hacks.mozilla.org
      Wed, Oct 24, 2018 8:33am -07:00
    • www.ruanyifeng.com
      Thu, Aug 1, 2019 7:40pm -07:00
    • Tom
      IIW 27 Notes
      Sun, Oct 28, 2018 6:38pm -07:00
Posted in /articles using quill.p3k.io

Hi, I'm Aaron Parecki, Senior Security Architect at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming and dabble in product design.

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Security Architect at Okta
  • IndieWebCamp Founder
  • OAuth WG Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2023 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv