WeChat ID
aaronpk_tv
-
Las Vegas, Nevada • Wed, October 16, 2024 7:58am#Oktane here we goooo
-
Congrats to BlueSky for launching OAuth support for apps! π https://docs.bsky.app/blog/oauth-atproto
-
Love seeing more US banks adopting OAuth!
-
Someone broke through the chain link fence last week, in broad daylight, while I was home, and didn't notice at the time.
I started thinking about what I could do about it, and it turns out the EA Unifi cameras have a new webhook feature. So now my cameras send a webhook to Home Assistant when someone crosses a virtual line, and it will trigger the siren. Since this is a line crossing event, not generic person detection, I can leave it armed 24/7, since nobody should be in that area at all. -
My IETF 120 Agenda
The sessions I will be attending and presenting at during IETF 120 in Vancouvercontinue reading... -
So #Identiverse is using an AI tool to summarize all the conference talks and it works about as terribly as you'd imagine.
Nowhere in my talk did I say "OAuth 3.0", nor did I say anything about global privacy regulation compliance. It straight up hallucinated quotes from me. π€¦ββοΈ
-
FedCM for IndieAuth
IndieWebCamp Düsseldorf took place this weekend, and I was inspired to work on a quick hack for demo day to show off a new feature I've been working on for IndieAuth.continue reading... -
OAuth for Browser-Based Apps has entered Working Group Last Call! Please share your comments in the next 2 weeks, even if it's just a general voice of support!
https://aaronparecki.com/2024/05/02/5/oauth-browser-based-apps-last-call -
OAuth for Browser-Based Apps Working Group Last Call!
The draft specification OAuth for Browser-Based Applications has just entered Working Group Last Call!continue reading... -
OAuth: "grant" vs "flow" vs "grant type"
Is it called an OAuth "grant" or a "flow"? What about "grant type"?continue reading... -
This is a good writeup on some sneaky vulnerabilities in OAuth implementations, but ultimately is just a simple access token injection attack: https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts
-
The deadline to submit drafts ahead of the IETF meeting in November just passed, and I submitted my last one with 30 minutes to spare! Here are all the docs I'll be discussing:
https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html
https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-01.html
https://www.ietf.org/archive/id/draft-parecki-oauth-first-party-apps-00.html
https://www.ietf.org/archive/id/draft-parecki-oauth-metadata-for-nested-flows-00.html -
OAuth for Browser-Based Apps Draft 15
After a lot of discussion on the mailing list over the last few months, and after some excellent discussions at the OAuth Security Workshop, we've been working on revising the draft to provide clearer guidance and clearer discussion of the threats and consequences of the various architectural patterns in the draft.continue reading... -
Now that @1Password launched passkey support *and* it's integrated into iOS 17 with the 1Password app, I feel like I can finally actually take the plunge and set up passkeys everywhere!
No more passwords! and the login UX is so much better too! -
It is 2023 and I am still having to explain the dangers of the OAuth Implicit Flow because I am still finding current documentation suggesting otherwise. Time to make another video to follow up on the one from 4 years ago?
-
May the 4th be with you! Brand new OAuth shirts just launched: "I find your lack of security disturbing"
Available in a variety of styles and also as a hacker hoodie!
https://shop.oauth.net/listing/lack-of-security-disturbing?product=46
-
Tomorrow Iβll be speaking at the @OReillyMedia Security Superstream at 8AM PDT with host @ChloeMessdaghi
Get up to speed on techniques & best practices related to OAuth and API security, the OWASP Top 10, & more! Register now: https://www.oreilly.com/live-events/security-superstream-application-security/0636920083707/0636920083706/
https://infosec.exchange/@ChloeMessdaghi/110186693893045342 -
-
Yet another reason why Token Exchange is dangerous π€―π±
"Bing is allowed to issue Office tokens for any logged-on user"
https://twitter.com/hillai/status/1641146523990753290 -
First #ietf116 session of the day is #OAuth complete with custom SD-JWT t-shirts π
@kristinayasuda @dfett42
