85°F

Aaron Parecki

  • Articles
  • Notes
  • Photos

Sunday, May 31, 2020

← Older → Newer
  • 11:57pm
    Asleep
    5:35am
    Awake
    5h 38m
    Slept
    13m
    Awake for
    Portland, Oregon, USA
    Sun, May 31, 2020 5:35am -07:00
  • Torsten Lodderstedt https://twitter.com/tlodderstedt   •   May 31
    if I understand correctly, the token request accepted an alternative email claim value and used it to override the value on Apple’s IDP. Really?
    Aaron Parecki
    If I'm reading it right it's not the token endpoint, it's their internal API for accepting the request that let the user choose which email to share with the app. So it's a form validation problem.
    Portland, Oregon • 54°F
    22 replies
    Sun, May 31, 2020 5:36am -07:00
  • Torsten Lodderstedt https://twitter.com/tlodderstedt   •   May 31
    But it’s exposed to the client and did accept arbitrary values, right?
    Aaron Parecki
    Yea, it's just not part of the OAuth API. It's more like bad logic on the internal implementation of the AS.
    Portland, Oregon • 54°F
    2 likes 17 replies
    Sun, May 31, 2020 5:39am -07:00
  • Torsten Lodderstedt https://twitter.com/tlodderstedt   •   May 31
    But it’s exposed to the client and did accept arbitrary values, right?
    Aaron Parecki
    It's the handler that responds to the "Continue" form post on this screen. Instead of a Boolean, the client sent back the actual email address and the server accepted arbitrary values.
    Portland, Oregon • 54°F
    1 reply
    Sun, May 31, 2020 5:42am -07:00
  • Aaron Parecki https://aaronparecki.com/   •   May 31
    It's the handler that responds to the "Continue" form post on this screen. Instead of a Boolean, the client sent back the actual email address and the server accepted arbitrary values.
    Aaron Parecki
    Now that I'm writing this out, I realize that the client also sends back the "name" here, intentionally, since the name is user-editable. So I can see how this happened. It's just extremely poor coding practice to essentially also allow the email to be editable here.
    Portland, Oregon • 54°F
    2 likes
    Sun, May 31, 2020 5:45am -07:00
  • Barbara Schachner https://twitter.com/barschachner   •   May 31
    I feel logical bugs around OAuth/OIDC/JWT handling are on the rise - and they are like the login form SQL injections of the past („be whoever you want to be“).
    Love those standards and their capabilities - but are they getting too complicated?
    Aaron Parecki
    Nah this is more a demonstration of why sticking to standards is a good idea, and why building an authorization server isn't a project that should be taken lightly.
    Portland, Oregon • 54°F
    1 like 12 replies
    Sun, May 31, 2020 5:59am -07:00
  • Dominick Baier https://twitter.com/leastprivilege
    The protocols are not the most complicated typically (not saying they are ‘easy’ either). But business requirements on top make things complicated.
    Portland, Oregon • 54°F
    Sun, May 31, 2020 1:00pm +00:00 (liked on Sun, May 31, 2020 6:00am -07:00)
  • Arif Yayalar 💛❤️🦁 https://twitter.com/ayayalar   •   May 30
    @aaronpk little disappointed that you sell pdf/ePub editions of OAuth 2.0 Simplified separately.
    Aaron Parecki
    Yeah it's mainly a technical limitation of the platform we used for publishing it. If you send me a receipt, I'll send you the other format!
    Portland, Oregon • 54°F
    Sun, May 31, 2020 6:05am -07:00
  • hedonometer https://twitter.com/hedonometer
    Yesterday was the saddest day in the history of @Twitter
    Portland, Oregon • 54°F
    Sat, May 30, 2020 4:51pm +00:00 (liked on Sun, May 31, 2020 6:35am -07:00)
  • Barbara Schachner https://twitter.com/barschachner   •   May 31
    Fully agree to that 😀

    Just looking also at examples like https://insomniasec.com/blog/auth0-jwt-validation-bypass or https://threatpost.com/microsoft-oauth-flaw-azure-takeover/150737/.
    o/c they are different + very individual, but if already the big players have such issues, how much more can go wrong on RS side where devs are usually not Auth experts.
    Aaron Parecki
    Yes! And that is *exactly* why I always advocate for pushing the complexity to the authorization server and keeping the client side simple. Fewer options for clients means fewer ways to mess it up, and there will always be more client developers than AS developers.
    Portland, Oregon • 54°F
    2 likes
    Sun, May 31, 2020 6:43am -07:00
  • Barbara Schachner https://twitter.com/barschachner
    Fully agree to that 😀

    Just looking also at examples like https://insomniasec.com/blog/auth0-jwt-validation-bypass or https://threatpost.com/microsoft-oauth-flaw-azure-takeover/150737/.
    o/c they are different + very individual, but if already the big players have such issues, how much more can go wrong on RS side where devs are usually not Auth experts.
    Portland, Oregon • 54°F
    Sun, May 31, 2020 1:41pm +00:00 (liked on Sun, May 31, 2020 6:43am -07:00)
  • Vinod Anandan https://twitter.com/_VinodAnandan   •   May 31
    "The OpenID Foundation enables deployments of OpenID Connect and the Financial-grade API (FAPI) Read/Write Profile to be certified to specific conformance profiles to promote interoperability among implementations.... "

    https://openid.net/certification/
    Aaron Parecki
    And? certification wouldn't have caught this bug since it wasn't a problem with the OIDC part of the exchange.
    Portland, Oregon • 54°F
    Sun, May 31, 2020 7:22am -07:00
  • Vinod Anandan https://twitter.com/_VinodAnandan   •   May 31
    "email_verified" : "True if the End-User's e-mail address has been verified; otherwise false....."

    https://openid.net/specs/openid-connect-core-1_0.html
    Aaron Parecki
    Go read the writeup again. The original post wasn't the clearest explanation of the problem but I also posted some more details in this thread that make it clearer.
    Portland, Oregon • 54°F
    6 replies
    Sun, May 31, 2020 7:28am -07:00
  • Vinod Anandan https://twitter.com/_VinodAnandan   •   May 31
    My point is that OIDC has mechanisms to prevent this issue..
    Aaron Parecki
    Please go read it again and understand the problem
    Portland, Oregon • 54°F
    4 replies
    Sun, May 31, 2020 7:32am -07:00
  • Torsten Lodderstedt https://twitter.com/tlodderstedt
    Another remark: this issue wouldn’t have allowed account takeover at the RP if the RP would use iss+sub claim to identify the user account instead of relying on the email address (potentially even without scoping it within the particular IDP). Poor coding practice too.
    Portland, Oregon • 54°F
    Sun, May 31, 2020 2:44pm +00:00 (liked on Sun, May 31, 2020 7:57am -07:00)
  • Vinod Anandan https://twitter.com/_VinodAnandan   •   May 31
    Yes, thank you. I agree that RP should be simple and IdP should be handling the complexity. AFAIU, the OIDC spec is clear about the email_verified attribute.
    Aaron Parecki
    The original post didn’t make this clear, so I’m writing a new post to hopefully better explain the problem. You’ll see that it has nothing to do with OIDC at all. Link coming shortly, I hope.
    Portland, Oregon • 55°F
    2 replies
    Sun, May 31, 2020 9:36am -07:00
  • ziwe https://twitter.com/ziwe
    there are two americas: one fights for black lives and the other fights for brunch
    Portland, Oregon • 56°F
    Sun, May 31, 2020 3:39pm +00:00 (liked on Sun, May 31, 2020 9:59am -07:00)
  • BLACKLIVESFUCKINGMATTER https://twitter.com/alexsimoneex
    i feel sorry the kids who are gonna study 2020 in history 😭, this chapter is HEFTY.
    1 like
    Thu, May 28, 2020 2:11pm +00:00 (reposted on Sun, May 31, 2020 10:00am -07:00)
  • Kate Efimova 💫 https://twitter.com/kefimochi
    Being sick of politics AND having an environment where you can stop thinking about current state of the world is called PREVILEGE.

    YOU HEARD IT!
    Portland, Oregon • 56°F
    Sun, May 31, 2020 3:28pm +00:00 (liked on Sun, May 31, 2020 10:08am -07:00)
  • Aaron Parecki
    Contributions from: Canada, Spain, United Kingdom, United States
    Sun, May 31, 2020 10:21am -07:00
  • Tony Jordan 😹👀 https://twitter.com/twjpdx23
    This is a great illustration of how much space cars waste!

    They say that up to 230 cars will be able to fit in the stadium to watch the movie. 230 cars in the whole damn stadium.

    If this is the future, I don’t wanna be in it. https://www.miamiherald.com/miami-com/things-to-do/article243003896.html
    Portland, Oregon • 57°F
    Sun, May 31, 2020 5:27pm +00:00 (liked on Sun, May 31, 2020 10:30am -07:00)
  • Dieter Bohn https://twitter.com/backlon
    When writing headlines, use the active voice and clearly identify subjects. https://www.theverge.com/2020/5/31/21276044/police-violence-protest-george-floyd
    Portland, Oregon • 57°F
    Sun, May 31, 2020 5:06pm +00:00 (liked on Sun, May 31, 2020 10:53am -07:00)
  • Jerry Gamblin https://twitter.com/JGamblin   •   May 30
    Interesting JWT vulnerability. https://bhavukjain.com/blog/2020/05/30/zeroday-signin-with-apple/
    Aaron Parecki
    This has almost nothing to do with JWTs, or even OpenID Connect for that matter.
    Portland, Oregon • 58°F
    2 likes 4 replies
    Sun, May 31, 2020 11:06am -07:00
  • Jerry Gamblin https://twitter.com/JGamblin   •   May 31
    Yep, I realized that after I posted and made a clarifying post in the thread, which you should have saw?
    Aaron Parecki
    I should have replied to that one. It’s barely a logic bug using JWT. I’m writing up more details in a blog post, will post a link shortly.
    Portland, Oregon • 58°F
    2 replies
    Sun, May 31, 2020 11:11am -07:00
  • Jerry Gamblin https://twitter.com/JGamblin   •   May 31
    Ok... what would you call it then?
    Aaron Parecki
    lack of form validation
    Portland, Oregon • 58°F
    1 like
    Sun, May 31, 2020 11:12am -07:00
  • Hans Zandbelt https://twitter.com/hanszandbelt
    So at first Apple shortcutted OIDC protocol steps in SIWA which rendered them insecure, after fixing that they went on to add extras on top of OIDC which now renders them insecure again. It should be clear to everyone now: don't roll your own. #openid #siwa
    Portland, Oregon • 60°F
    Sun, May 31, 2020 6:43pm +00:00 (liked on Sun, May 31, 2020 12:47pm -07:00) #openid #siwa
  • The Real Cause of the Sign In with Apple Zero-Day

    The zero-day bug in Sign In with Apple actually had nothing to do with the OAuth or OpenID Connect part of the Sign In with Apple exchange, and very little to do even with JWTs. Let's take a closer look to see what actually happened.
    continue reading...
    37 likes 19 reposts 1 bookmark 9 replies 25 mentions
    Sun, May 31, 2020 1:49pm -07:00 #oauth #oidc #apple #siwa #security #zeroday
  • Vinod Anandan https://twitter.com/_VinodAnandan   •   May 31
    Thanks, that will be greatly appreciated. If you could also include the sample id_token in the post, it would help to clarify some doubts.
    Aaron Parecki
    Alright, it's up! https://aaronparecki.com/2020/05/31/30/the-real-cause-of-the-sign-in-with-apple-zero-day
    Portland, Oregon • 61°F
    2 likes 1 repost
    Sun, May 31, 2020 1:50pm -07:00
  • Jerry Gamblin https://twitter.com/JGamblin   •   May 31
    Ok... what would you call it then?
    Aaron Parecki
    Posted a full writeup with a lot more details: https://aaronparecki.com/2020/05/31/30/the-real-cause-of-the-sign-in-with-apple-zero-day
    Portland, Oregon • 61°F
    1 like 1 repost
    Sun, May 31, 2020 1:50pm -07:00
  • Aaron Parecki
    Contributions from: Canada, Spain, United Kingdom, United States
    Sun, May 31, 2020 4:03pm -07:00
  • Chris Aldrich https://boffosocko.com/
    The overall idea to make it easier to subscribe to a personal website is certainly a laudable one.

    Sadly the general concept presented here, while it sounds potentially useful, is far too little and misdirected. Hopefully better potential solutions are still not too late.

    First, let’s step back a moment. The bigger problem with feeds was that website designers and developers spent far too long in the format wars between RSS and Atom while the social media giants focused on cleaner and easier UI. This allowed the social silos to dramatically close the gap in functionality and usability. While website owners were spending time on formats and writing long articles about what RSS was, how it worked, and how to use it, the public lost interest. We need something really dramatic to regain this ground and /feeds just is not going to cut it.

    The first problem I see with this is that on it’s face /feeds both looks and sounds like code. No user really wants to interact with code if they don’t have to. Why not simply have a page or button called something much more user friendly like “subscribe” or “follow”? Almost every major social silo has a common pattern like this and has a simple “follow” button on every user’s page. A quick click and one is done with the transaction!

    Instead the solution offered here is to have not only yet-another-page but one that needs to be maintained. (As good as the /now idea may seem, the fact that it needs to be regularly and manually updated makes it a failure out of the gate. I’ll bet that less than half the /now pages out there have been updated in the last 6 months. I know mine hasn’t.) Worse, suppose I click over to a /feeds page, as an average person I’m still stuck with the additional burden of knowing or learning about what a feed reader is, why I’d need or want one, and then knowing what RSS is and how I might use that. I might see a one click option for Twitter or Mastodon, but then I’m a mile away from your website and unlikely to see you again in the noise of my Twitter feed which has many other lurking problems.

    One of the best solutions I’ve seen in the past few years is that posited by SubToMe.com which provides a single, customizable, and universal follow button. One click and it automatically finds the feeds hidden in the page’s code and presents me with one or more options for following it in a feed reader. Once I’ve chosen a reader, it remembers my choice and makes the following pattern easier in future transactions. This is a far superior option over /feeds because it takes away a huge amount of cognitive burden for the user. As a developer, I’ve got a browser bookmarklet that provides this functionality for sites that don’t provide it for me. How nice would it be if browsers went back and offered such a one button collection mechanism?

    Want to give this a try? I’ve got a “Follow Me” button in the side bar of my website. And if that doesn’t float your boat, I’ve tinkered with other methods of subscribing to my content that you can find at my subscribe page. Some developers might not be too scared of what’s on my subscribe page (a /feed page by a slightly friendlier name), but less technically minded people are sure to have a dramatically different perspective.

    The other piece here that I might take umbrage with is the offering to provide feeds to subscriptions to alternate services like Twitter and Mastodon. (This doesn’t take into any account that RSS feeds of social services are positively atrocious, not to mention that attempting to access Marcus’ Twitter feed in RSS Box returns the interminable error message: “There was a problem talking to Twitter. Please try again in a moment.”)

    Ideally I see a future in which every person has the ability to own both their own domain name and their content in a simple manner. If this happens and it’s easier to subscribe to the sites of my friends, then I don’t need corporate social media to intermediate the transactions on my behalf. I also don’t need them to intermediate what I’m actually seeing with their blackbox algorithmic feeds either. Friends, family, and colleagues could simply come to my website and subscribe to all or portions of my content in which they’re interested. While I still presently syndicate some of my content to silos like Twitter and Mastodon for the ease of friends or family who don’t know about the technical side of potential solutions, I post everything on my website first where one can subscribe in a feed reader or by email. Subscriptions in Twitter or Mastodon, while nice to have, are just a poor simulacrum of the real things being served by my site in better ways with more context and a design that better reflects what I’d like to portray online. A /feed page is going to be a failure from the start if you’re going to cede all the subsequent power directly to Twitter, Mastodon, and others anyway.

    While I like the volume of the reactions to the post (indicating that there’s not only a readership, but a desire for this sort of functionality), I’m disheartened that so many designers and developers think that the idea of /feeds is “enough” to stem the tide.

    For those who might be truly interested in designing our way out of this problem, I’d recommend looking at some of the design and development work of the IndieWeb community which is trying (slowly, but surely) to improve these sorts of technical hurdles. Their wiki has large number of examples of things that do and don’t work, discussion of where problems lie, and a community conversing about how to potentially make them better through actual examples of things that are currently working on peoples’ websites.

    A good example of this is the increasing improvement of social readers that allow one to subscribe to a variety of sources in a reader which also allows one to respond to posts in-line and then own that content on one’s website. If I can subscribe to almost anything out there in one interface and sort and filter it in any way I’d like, that’s far better than having twenty different feed readers named Facebook, Twitter, LinkedIn, Instagram, Soundcloud, etc. which I have to separately and independent manage and check. Now I’ve yet to see an IndieWeb reader with a one click SubToMe-type of solution for adding feeds to it, but I don’t think it will be very long before that’s a reality. The slowly improving Microsub spec that splits some of the heavy lifting needed to build and design a stand alone feed reader is certainly helping to make some massive headway on these issues.

    Maybe we’ll soon have an easy way for people to post who they’re following on their own websites, and their readers will be able to read or parse those pages and aggregate those followed posts directly into a nice reading interface? Maybe someone will figure out a way to redesign or re-imagine the old blogroll? Maybe we’ll leverage the idea of OPML subscriptions so that a personal blogroll (maybe we rename this something friendlier like a following page or personal recommendations, subscriptions, etc.) can feed a person’s subscriptions into their social reader? There are certainly a lot of solid ideas being experimented on and in actual use out there.

    We obviously still have a long way to go to make things better and more usable, not only for ourselves as designers and developers, but for the coding averse. I feel like there’s already a flourishing space out there doing this that’s miles ahead of solutions like /feeds. Why don’t we start at that point and then move forward?

    Portland, Oregon • 64°F
    Sun, May 31, 2020 5:26pm -07:00 (liked on Sun, May 31, 2020 5:32pm -07:00) #feedreaders #Microsub #OPML #OPMLsubscription #RSS #socialreaders #UI #webdesign
  • 👩‍💻 DynamicWebPaige @ 127.0.0.1 🏠 https://twitter.com/DynamicWebPaige
    I can't stop thinking about this picture, and this reality: safely barricaded from protests, spectating and not engaging, continuing with brunch as usual.
    Portland, Oregon • 62°F
    Mon, Jun 1, 2020 2:01am +00:00 (liked on Sun, May 31, 2020 7:05pm -07:00)
  • fluffy 💜 https://twitter.com/fluffy
    There is something very surreal about watching a live news event on TV while also hearing it outside your window.
    Portland, Oregon • 60°F
    Mon, Jun 1, 2020 3:00am +00:00 (liked on Sun, May 31, 2020 8:08pm -07:00)
← Older → Newer

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv