86°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • Barbara Schachner https://twitter.com/barschachner   •   May 31
    I feel logical bugs around OAuth/OIDC/JWT handling are on the rise - and they are like the login form SQL injections of the past („be whoever you want to be“).
    Love those standards and their capabilities - but are they getting too complicated?
    Aaron Parecki
    Nah this is more a demonstration of why sticking to standards is a good idea, and why building an authorization server isn't a project that should be taken lightly.
    Portland, Oregon • 54°F
    Sun, May 31, 2020 5:59am -07:00
    1 like 12 replies
    • Barbara Schachner
    • Leif Johansson twitter.com/leifjohansson
      Technology is about revolting against your fathers data description language.
      Tue, Jun 2, 2020 4:44pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki twitter.com/aaronpk
      It's almost like they learned nothing from the mess of XML-based protocols
      Tue, Jun 2, 2020 4:44pm +00:00 (via brid-gy.appspot.com)
    • Nat Sakimura twitter.com/_nat_en
      And so did Verified / Verifiable Credentials specs. ** sigh **
      Tue, Jun 2, 2020 4:42pm +00:00 (via brid-gy.appspot.com)
    • Leif Johansson twitter.com/leifjohansson
      Isn’t CBOR putting it back?
      Mon, Jun 1, 2020 5:14pm +00:00 (via brid-gy.appspot.com)
    • Nat Sakimura twitter.com/_nat_en
      Well, after 18 years, XML DSig libs still exhibited critical normalization bugs last year. It has been continuing and I expect it to continue. That's why we removed any and all normalization from JWS. That was one of the first decision I and @ve7jtb made. Just a data point.
      Mon, Jun 1, 2020 7:01am +00:00 (via brid-gy.appspot.com)
    • Barbara Schachner twitter.com/barschachner
      No, just SAML and wouldn’t call it less complicated, just maybe so obviously complicated that only few tried to do the XML handling themselves and rather used proper libs😀 Really don’t want to criticize anyone.I have high respect for everyone inventing/maintaining such standards
      Sun, May 31, 2020 7:13pm +00:00 (via brid-gy.appspot.com)
    • Torsten Lodderstedt twitter.com/tlodderstedt
      High complexity means? Are you aware of solutions for Id federation that are simpler to use and secure?
      Sun, May 31, 2020 2:35pm +00:00 (via brid-gy.appspot.com)
    • Barbara Schachner twitter.com/barschachner
      Sorry, the Apple vulnerability is not. It’s just my feeling that higher likelihood of logical bugs due to high complexity may also apply to OIDC (in combination with OAuth).
      Sun, May 31, 2020 2:17pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki twitter.com/aaronpk
      Yes! And that is *exactly* why I always advocate for pushing the complexity to the authorization server and keeping the client side simple. Fewer options for clients means fewer ways to mess it up, and there will always be more client developers than AS developers.
      Sun, May 31, 2020 1:43pm +00:00 (via brid-gy.appspot.com)
    • Barbara Schachner twitter.com/barschachner
      Of course, usage of standard libs should help. Just not sure how widespread they are compared to individual implementations in that area.
      Sun, May 31, 2020 1:42pm +00:00 (via brid-gy.appspot.com)
    • Barbara Schachner twitter.com/barschachner
      Fully agree to that 😀 Just looking also at examples like insomniasec.com/blog/auth0-jwt… or threatpost.com/microsoft-oaut…. o/c they are different + very individual, but if already the big players have such issues, how much more can go wrong on RS side where devs are usually not Auth experts.
      Sun, May 31, 2020 1:41pm +00:00 (via brid-gy.appspot.com)
    • Torsten Lodderstedt twitter.com/tlodderstedt
      I don’t see how this is related to the OIDC protocol flow. Can you please elaborate?
      Sun, May 31, 2020 1:00pm +00:00 (via brid-gy.appspot.com)
Posted in /replies using indigenous.abode.pub/ios

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv