64°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • Aaron Parecki
    In case you needed a reminder about why we care so much about OAuth/OIDC flows being used in the system browser and not embedded browsers, Instagram injects their own tracking code in every web page you visit inside Instagram https://krausefx.com/blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser
    Austin, Texas, USA • 99°F
    Wed, Aug 10, 2022 1:46pm -05:00 #instagram #oauth
    53 likes 20 reposts 9 replies
    • Flaki
    • dpdp
    • Justin Dah-kenangnon
    • Matt Raible
    • Lyre Calliope 🧭 he/they
    • OktaDev
    • Veit Sanner
    • Gerardo Lijs
    • theswayambhu
    • Joseph H
    • daniel
    • thaddeus:$ _
    • Schmitz Eric
    • Nick smith
    • Dmitri Shuralyov
    • Felix Krause
    • Maik Musall
    • Amirsh
    • Bryan Meister
    • Bob Allen, M.Sc.
    • xgerman
    • Kosuke Koiwai
    • Mike Jones
    • Bishal Sarangkoti
    • nikosv
    • Raphaël Lemaitre
    • Jon Even Rosengren
    • Michael Dimoudis 👨🏻‍💻⚽️
    • Jonas Pettersson
    • Bailey Stone
    • jonah
    • Deepu K Sasidharan | ദീപു | தீபு | दीपू
    • secureCookie
    • João Craveiro (“Cravvie”)
    • Deepak Nayak
    • Julian Monono
    • すすはむ
    • Paul DeVito
    • Masanori Kusunoki / 楠 正憲
    • Nicolas Huau
    • Imagination 💫 🌍
    • Brian Demers
    • Y
    • George Fletcher
    • TNM Technologies
    • Nick Steele
    • vasant surya teja
    • Philipp Schürmann
    • Colton Beach
    • Steinar Noem
    • Neil Madden 🇺🇦
    • Spencer
    • INUX3D_AU
    • Steinar Noem
    • vasant surya teja
    • Techmeme Chatter
    • John Garland
    • Paul DeVito
    • Pascal Amey
    • Nat Sakimura/崎村夏彦
    • Andrea Chiarelli
    • Dominick Baier
    • Flaki
    • Ganapathi Basimsetti
    • Matt Raible
    • Sébastien A
    • Amirsh
    • jrconlin 🌻
    • Gerardo Lijs
    • Sébastien Blanc 🇪🇺 🇺🇦 🥑
    • OktaDev
    • Justin Dah-kenangnon
    • tim cappalli | 📍 Las Vegas
    • Aaron Parecki twitter.com/aaronpk
      Oof yeah. At least they give you a button to pop out to the real browser easier.
      Fri, Aug 12, 2022 2:37am +00:00 (via brid.gy)
    • Aaron Parecki twitter.com/aaronpk
      The only time you might be able to convince me that it's acceptable is if this account is only for one app and everything is all first party. If there's only ever one app then there's effectively no OAuth and everything (including the AS) is part of the app.
      Thu, Aug 11, 2022 10:05pm +00:00 (via brid.gy)
    • Dan Moore twitter.com/mooreds
      So in your mind, no reason to ever use a webview/embedded browser? Or do I misunderstand?
      Thu, Aug 11, 2022 10:02pm +00:00 (via brid.gy)
    • Aaron Parecki twitter.com/aaronpk
      Frankly the "system browser is horrible UX" argument lost a long time ago once the OSs provided in-app browsers that share system cookies but aren't visible to the app.
      Thu, Aug 11, 2022 9:56pm +00:00 (via brid.gy)
    • Dan Moore twitter.com/mooreds
      Agreed, as outlined here: datatracker.ietf.org/doc/html/rfc82… However, many folks, esp when first party all the way through, are willing to accept the downsides for better UX (popping out to the system browser being a pretty horrible UX). Hobson's browser is real: infrequently.org/2021/07/hobson…
      Thu, Aug 11, 2022 9:55pm +00:00 (via brid.gy)
    • Aaron Parecki twitter.com/aaronpk
      This particular issue isn't really a problem if you control the app and AS, but there are other reasons not to embed the AS page in an in-app web view.
      Thu, Aug 11, 2022 9:45pm +00:00 (via brid.gy)
    • Dan Moore twitter.com/mooreds
      Although if it is a first party oauth integration (where one company controls the mobile app, the APIs, and, through a legal contract the Authorization Server), this injection is less of an issue, right?
      Thu, Aug 11, 2022 3:00pm +00:00 (via brid.gy)
    • George Fletcher twitter.com/gffletch
      And of course Twitter opens the link in an in-app browser:-)
      Thu, Aug 11, 2022 9:59am +00:00 (via brid.gy)
    • Justin Dah-kenangnon twitter.com/Dahkenangnon
      Surely!
      Wed, Aug 10, 2022 6:58pm +00:00 (via brid.gy)
Posted in /notes using quill.p3k.io

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv