Browser APIs have gotten so much better lately! Way easier to ... • Aaron Parecki

Browser APIs have gotten so much better lately! Way easier to do @oauth_2 PKCE in a browser now:

✅ good random number generators
✅ secure hashing functions

Just missing a good base64 encoding function. (Check out the ugly hack in the post.)

https://developer.okta.com/blog/2019/05/01/is-the-oauth-implicit-flow-dead#begin-the-pkce-request

Mountain View, California, USA • 49°F

Thu, May 2, 2019 8:25am -07:00 #oauth #javascript #pkce

5 likes 1 repost 5 replies
- OAuth 2.0
Have you written a response to this? Let me know the URL:
- Aaron Parecki twitter.com/aaronpk
  
  Plenty of server-side frameworks can do this, I'm not sure about something as a service though. Also not sure if you'd really want to go down the path of offloading that kind of thing to a different site either.
  
  Sat, May 4, 2019 4:46pm +00:00 (via brid-gy.appspot.com)
- Even André Fiskvik twitter.com/grEvenX
  
  In the process of changing how we authorize the users in our web app and I’m wondering what route to take. Do you know about any simple proxy-like services for Oauth 2 Auth code flow (not OIDC) that can keep sessions and handle Auth for any SPA ?
  
  Fri, May 3, 2019 10:47pm +00:00 (via brid-gy.appspot.com)
- Sebastian Lasse twitter.com/sl007
  
  This could save you 4 characters ;))
  return btoa(encodeURIComponent(str)
  .replace(/%([0-9A-F]{2})/g, (m, p1) => String.fromCharCode(parseInt(('0x'+p1), 16))));
  
  Thu, May 2, 2019 8:22pm +00:00 (via brid-gy.appspot.com)
- Sebastian Lasse mastodon.social/@sl007
  
  @aaronpk This could save you 4 characters ;))
  return btoa(encodeURIComponent(str)
  .replace(/%([0-9A-F]{2})/g, (m, p1) => String.fromCharCode(parseInt(('0x'+p1), 16))));
  
  Thu, May 2, 2019 8:21pm +00:00
- alianora cybre.space/@nightpool
  
  @aaronpk This is a good post! But I'm having trouble trying to understand the attack that the authorization flow is protecting against. How can a token be stolen "in transit back to the application"?
  
  Thu, May 2, 2019 3:29pm +00:00

Posted in /notes using quill.p3k.io