86°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • Khor https://twitter.com/neth_6   •   Jul 29
    Will be talking about 'The Many Flavors of OAuth' at https://www.apidays.co/sanfrancisco including brief overview of identity layers #openidconnect #oidc, and #IndieAuth. Use code 'Soonhin' to get free tix. @aaronpk thanks for https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web.
    Aaron Parecki
    Awesome! I'd love to know what kinds of questions you get after the talk!
    Portland, Oregon • 73°F
    Sun, Jul 29, 2018 9:42am -07:00
    2 likes 9 replies
    • Evan Prodromou 🏀 👀
    • Khor
    • Khor twitter.com/neth_6
      Got it. I read the link you shared but I must have missed the part about Auth Code flow with no client secret. Sorry.
      Wed, Aug 8, 2018 2:46pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki aaronparecki.com
      Regular OAuth 2.0 also supports the Authorization Code flow with no secret. In fact, many companies recommend Auth Code w/no secret instead of Implicit.

      IndieAuth is like taking Auth Code w/no secret and adding back some layers of security because of the client ID being a URL.
      Wed, Aug 8, 2018 2:42pm +00:00 (via brid-gy.appspot.com)
    • Khor twitter.com/neth_6
      The link you shared is for Implicit? Implicit does not use client secret. Does this mean IndieAuth is more similar to Implicit than Auth Code but is more secure as the client id has to be redirect uri?
      Wed, Aug 8, 2018 2:40pm +00:00 (via brid-gy.appspot.com)
    • Khor twitter.com/neth_6
      Thanks for this tip!
      Wed, Aug 8, 2018 2:17pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki aaronparecki.com
      But, most importantly, the fact that IndieAuth uses a URL for the client ID means that you *do* authenticate the client in the initial Auth Code request, since the redirect URL has to match the domain or be registered. That's an improvement over OAuth with no secret.
      Wed, Aug 8, 2018 1:28pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki aaronparecki.com
      Without the secret, there is no authentication of the client. PKCE solves this by using essentially an on-the-fly secret safe for use by mobile apps. IndieAuth *could* adopt the PKCE extension as well, tho afaik noone has done that yet.
      Wed, Aug 8, 2018 1:26pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki aaronparecki.com
      Good question! The OAuth Authorization Code flow doesn't require a secret either. For example mobile apps can't use a secret, but still use the Auth Code flow. There are many benefits to the Auth Code flow over Implicit, I wrote some about that here developer.okta.com/blog/2018/05/2…
      Wed, Aug 8, 2018 1:25pm +00:00 (via brid-gy.appspot.com)
    • Martijn van der Ven vanderven.se/martijn
      Does the auth code flow require a client secret? Not sure “less secure” is always true. It is true that the IndieAuth exchange step does not contain proof of the client being the same as from initial request.
      It might be an idea to look into tools.ietf.org/html/rfc7636 for that.
      Wed, Aug 8, 2018 8:45am +00:00 (via brid-gy.appspot.com)
    • Khor twitter.com/neth_6
      Got a #IndieAuth question. Since there is no client pre-registration, there is no client secret. Thus during code/access token exchange no client secret is used. Less secure than Authorization Code and more like Implicit perhaps?
      Wed, Aug 8, 2018 7:03am +00:00 (via brid-gy.appspot.com)
Posted in /replies using indigenous.abode.pub

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv