Aaron Parecki

In case you missed it, our IPSIE webinar recording is now available! I had a great time chatting with Dean H. Saxe, George Fletcher, Gail Hodges, and Jeff Reich about what IPSIE is, why profiling existing specifications is so important, and the progress the working group has made so far! Thanks for the great conversation!

IPSIE:
Interoperability
Profile for
Secure
Identity in the
Enterprise

https://www.brighttalk.com/webcast/18458/636068

Chase sends 8-digit 2fa SMS codes, which seems excessive compared to the 6 that most other places use, but even weirder is that the first digit of them has always been the same, effectively making it a 7 digit code. Anyone know what's up with that?

At long last, the OAuth working group has finished the Best Current Practice for OAuth 2.0 Security and it was just published as RFC9700! This has been a long time in the works, and I'm very thankful to everyone who has helped out with it over the years!

https://www.rfc-editor.org/rfc/rfc9700.html

This is one of the major inputs to OAuth 2.1, so I'm also very excited to be able to move that forward this year as well!

Congrats to BlueSky for launching OAuth support for apps! 🙌 https://docs.bsky.app/blog/oauth-atproto

Someone broke through the chain link fence last week, in broad daylight, while I was home, and didn't notice at the time.

I started thinking about what I could do about it, and it turns out the EA Unifi cameras have a new webhook feature. So now my cameras send a webhook to Home Assistant when someone crosses a virtual line, and it will trigger the siren. Since this is a line crossing event, not generic person detection, I can leave it armed 24/7, since nobody should be in that area at all.

OAuth for Browser-Based Apps has entered Working Group Last Call! Please share your comments in the next 2 weeks, even if it's just a general voice of support!

https://aaronparecki.com/2024/05/02/5/oauth-browser-based-apps-last-call

This is a good writeup on some sneaky vulnerabilities in OAuth implementations, but ultimately is just a simple access token injection attack: https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts

The deadline to submit drafts ahead of the IETF meeting in November just passed, and I submitted my last one with 30 minutes to spare! Here are all the docs I'll be discussing:

https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html

https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-01.html

https://www.ietf.org/archive/id/draft-parecki-oauth-first-party-apps-00.html

https://www.ietf.org/archive/id/draft-parecki-oauth-metadata-for-nested-flows-00.html

Now that @1Password launched passkey support *and* it's integrated into iOS 17 with the 1Password app, I feel like I can finally actually take the plunge and set up passkeys everywhere!

No more passwords! and the login UX is so much better too!

It is 2023 and I am still having to explain the dangers of the OAuth Implicit Flow because I am still finding current documentation suggesting otherwise. Time to make another video to follow up on the one from 4 years ago?