Awesome! I'd love to know what kinds of questions you get after ... • Aaron Parecki

Khor https://twitter.com/neth_6 • Jul 29
Will be talking about 'The Many Flavors of OAuth' at https://www.apidays.co/sanfrancisco including brief overview of identity layers #openidconnect #oidc, and #IndieAuth. Use code 'Soonhin' to get free tix. @aaronpk thanks for https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web.

Awesome! I'd love to know what kinds of questions you get after the talk!

Portland, Oregon • 73°F

Sun, Jul 29, 2018 9:42am -07:00

2 likes 9 replies
Have you written a response to this? Let me know the URL:
- Khor twitter.com/neth_6
  
  Got it. I read the link you shared but I must have missed the part about Auth Code flow with no client secret. Sorry.
  
  Wed, Aug 8, 2018 2:46pm +00:00 (via brid-gy.appspot.com)
- Aaron Parecki aaronparecki.com
  
  Regular OAuth 2.0 also supports the Authorization Code flow with no secret. In fact, many companies recommend Auth Code w/no secret instead of Implicit.
  
  IndieAuth is like taking Auth Code w/no secret and adding back some layers of security because of the client ID being a URL.
  
  Wed, Aug 8, 2018 2:42pm +00:00 (via brid-gy.appspot.com)
- Khor twitter.com/neth_6
  
  The link you shared is for Implicit? Implicit does not use client secret. Does this mean IndieAuth is more similar to Implicit than Auth Code but is more secure as the client id has to be redirect uri?
  
  Wed, Aug 8, 2018 2:40pm +00:00 (via brid-gy.appspot.com)
- Khor twitter.com/neth_6
  
  Thanks for this tip!
  
  Wed, Aug 8, 2018 2:17pm +00:00 (via brid-gy.appspot.com)
- Aaron Parecki aaronparecki.com
  
  But, most importantly, the fact that IndieAuth uses a URL for the client ID means that you *do* authenticate the client in the initial Auth Code request, since the redirect URL has to match the domain or be registered. That's an improvement over OAuth with no secret.
  
  Wed, Aug 8, 2018 1:28pm +00:00 (via brid-gy.appspot.com)
- Aaron Parecki aaronparecki.com
  
  Without the secret, there is no authentication of the client. PKCE solves this by using essentially an on-the-fly secret safe for use by mobile apps. IndieAuth *could* adopt the PKCE extension as well, tho afaik noone has done that yet.
  
  Wed, Aug 8, 2018 1:26pm +00:00 (via brid-gy.appspot.com)
- Aaron Parecki aaronparecki.com
  
  Good question! The OAuth Authorization Code flow doesn't require a secret either. For example mobile apps can't use a secret, but still use the Auth Code flow. There are many benefits to the Auth Code flow over Implicit, I wrote some about that here developer.okta.com/blog/2018/05/2…
  
  Wed, Aug 8, 2018 1:25pm +00:00 (via brid-gy.appspot.com)
- Martĳn van der Ven vanderven.se/martijn
  
  Does the auth code flow require a client secret? Not sure “less secure” is always true. It is true that the IndieAuth exchange step does not contain proof of the client being the same as from initial request.
  It might be an idea to look into tools.ietf.org/html/rfc7636 for that.
  
  Wed, Aug 8, 2018 8:45am +00:00 (via brid-gy.appspot.com)
- Khor twitter.com/neth_6
  
  Got a #IndieAuth question. Since there is no client pre-registration, there is no client secret. Thus during code/access token exchange no client secret is used. Less secure than Authorization Code and more like Implicit perhaps?
  
  Wed, Aug 8, 2018 7:03am +00:00 (via brid-gy.appspot.com)

Posted in /replies using indigenous.abode.pub