54°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • Aaron Parecki
    Browser APIs have gotten so much better lately! Way easier to do @oauth_2 PKCE in a browser now:

    ✅ good random number generators
    ✅ secure hashing functions

    Just missing a good base64 encoding function. (Check out the ugly hack in the post.)

    https://developer.okta.com/blog/2019/05/01/is-the-oauth-implicit-flow-dead#begin-the-pkce-request
    Mountain View, California, USA • 49°F
    Thu, May 2, 2019 8:25am -07:00 #oauth #javascript #pkce
    5 likes 1 repost 5 replies
    • Jacky Alciné
    • BigRedPimp
    • Matt Allan
    • Filippos Vasilakis
    • Nico Kaiser
    • OAuth 2.0
    • Aaron Parecki twitter.com/aaronpk
      Plenty of server-side frameworks can do this, I'm not sure about something as a service though. Also not sure if you'd really want to go down the path of offloading that kind of thing to a different site either.
      Sat, May 4, 2019 4:46pm +00:00 (via brid-gy.appspot.com)
    • Even André Fiskvik twitter.com/grEvenX
      In the process of changing how we authorize the users in our web app and I’m wondering what route to take. Do you know about any simple proxy-like services for Oauth 2 Auth code flow (not OIDC) that can keep sessions and handle Auth for any SPA ?
      Fri, May 3, 2019 10:47pm +00:00 (via brid-gy.appspot.com)
    • Sebastian Lasse twitter.com/sl007
      This could save you 4 characters ;))
      return btoa(encodeURIComponent(str)
      .replace(/%([0-9A-F]{2})/g, (m, p1) => String.fromCharCode(parseInt(('0x'+p1), 16))));
      Thu, May 2, 2019 8:22pm +00:00 (via brid-gy.appspot.com)
    • Sebastian Lasse mastodon.social/@sl007

      @aaronpk This could save you 4 characters ;))
      return btoa(encodeURIComponent(str)
      .replace(/%([0-9A-F]{2})/g, (m, p1) => String.fromCharCode(parseInt(('0x'+p1), 16))));

      Thu, May 2, 2019 8:21pm +00:00
    • alianora cybre.space/@nightpool

      @aaronpk This is a good post! But I'm having trouble trying to understand the attack that the authorization flow is protecting against. How can a token be stolen "in transit back to the application"?

      Thu, May 2, 2019 3:29pm +00:00
Posted in /notes using quill.p3k.io

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv