53°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • Aaron Parecki
    Yet another reason why Token Exchange is dangerous 🀯😱

    "Bing is allowed to issue Office tokens for any logged-on user"

    https://twitter.com/hillai/status/1641146523990753290
    η₯žε₯ˆε·ηœŒ, JPN
    Thu, Mar 30, 2023 9:54am +09:00 #security #oauth
    13 likes 4 replies 1 mention
    • Bertrand πŸ‰
    • β›§Satanistβ›§
    • Vladimir Petrosyan
    • Kenta Takahashi
    • Vittorio
    • Brad Fogle
    • Shreyan Jain
    • Daniel ⚑️
    • Torsten Lodderstedt
    • Josh Roppo 🌻
    • Patrick Schiess
    • Jocke A
    • Justin Richer πŸ€
    • Pushkar Jaltare twitter.com/Pushkar2911
      How will you implement the token exchange safely?Bing being able to create JWT tokens for MS Office makes sense from product standpoint. One way would be to vend scoped down tokens (for MS office) to Bing. Are there any other alternatives?
      Fri, Mar 31, 2023 12:49am +00:00 (via brid.gy)
    • Pushkar Jaltare twitter.com/Pushkar2911
      How would you architect/build a similar system?
      Fri, Mar 31, 2023 12:32am +00:00 (via brid.gy)
    • Torstein Krause Johansen emacs.ch/users/skybert

      @aaronpk Interesting find.

      Does this mean RFC 8693: Token Exchange is by its very nature dangerous? What would be a better way?

      Fri, Mar 31, 2023 4:14am +09:00
    • Hirsch Singhal twitter.com/hpsin_
      Something something breaking cross domain cookies and composability of the web...
      Thu, Mar 30, 2023 1:04am +00:00 (via brid.gy)

    Other Mentions

    • John Gateley twitter.com/johngateley
      Friends don't let friends do token exchange
      Thu, Mar 30, 2023 2:57am +00:00 (via brid.gy)
Posted in /notes using quill.p3k.io

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • πŸŽ₯ YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • βš™οΈ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv