Aaron Parecki

alianora https://cybre.space/@nightpool • May 2
@aaronpk sorry I guess I should have specified "with https". doesn't https' security model encompass this one?

Nope because the browser is still an unknown there, at least from the point of view of the sender of the sensitive data.

Mountain View, California • 49°F

1 reply

Thu, May 2, 2019 9:03am -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk This is a good post! But I'm having trouble trying to understand the attack that the authorization flow is protecting against. How can a token be stolen "in transit back to the application"?

Think of it this way: The server is trying to send some sensitive data to the application, but has no direct communication channel, and instead has to trust some other piece of software (the browser) to deliver it.

Mountain View, California • 49°F

1 reply

Thu, May 2, 2019 8:40am -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk This is a good post! But I'm having trouble trying to understand the attack that the authorization flow is protecting against. How can a token be stolen "in transit back to the application"?

An easy example to see is captive wifi portals where the network intercepts DNS requests and returns a different answer.

Mountain View, California • 49°F

Thu, May 2, 2019 8:33am -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk This is a good post! But I'm having trouble trying to understand the attack that the authorization flow is protecting against. How can a token be stolen "in transit back to the application"?

That's the classic problem with the front-channel (sending data over HTTP redirects in a browser). The sender has no way to know if the receiver got the data, and has no way to tell if it was stolen or copied.

Mountain View, California • 49°F

Thu, May 2, 2019 8:31am -07:00
Browser APIs have gotten so much better lately! Way easier to do @oauth_2 PKCE in a browser now:

✅ good random number generators
✅ secure hashing functions

Just missing a good base64 encoding function. (Check out the ugly hack in the post.)

https://developer.okta.com/blog/2019/05/01/is-the-oauth-implicit-flow-dead#begin-the-pkce-request

Mountain View, California, USA • 49°F

5 likes 1 repost 5 replies

Thu, May 2, 2019 8:25am -07:00 #oauth #javascript #pkce
at Computer History Museum

Mountain View, California • Thu, May 2, 2019 7:54am

37.414456 -122.0775

Mountain View, CA, United States

1 Coin

Thu, May 2, 2019 7:54am -07:00
Contributions from: Germany, India, Switzerland, United States

Thu, May 2, 2019 7:40am -07:00
at Hotel Vue

Mountain View, California • Thu, May 2, 2019 7:29am

37.381403 -122.074277

Mountain View, CA, United States • 49°F

10 Coins

Thu, May 2, 2019 7:29am -07:00
Contributions from: Germany, India, United Kingdom, United States

Thu, May 2, 2019 7:26am -07:00
Contributions from: Germany, India, United States

Thu, May 2, 2019 7:09am -07:00
10:25pm
Asleep

6:28am
Awake

8h 03m
Slept

23m
Awake for

Mountain View, California, USA

Thu, May 2, 2019 6:28am -07:00
current status: wrapped up the web standards meeting for the day, and now watching the recording of yesterday's Planning and Sustainability Commission meeting in Portland, a different kind of standards meeting.

what? I don't have too many projects *you* have too many projects

Mountain View, California, USA • 49°F

12 likes 1 repost 1 reply

Wed, May 1, 2019 9:17pm -07:00 #pdx #portland
Troy Howard https://twitter.com/thoward37

Now that the conference is over, I can finally relax and watch the talks from the comfort of my living room sofa.

#ml4all #conference #machinelearning #appletv

Mountain View, California • 49°F

www.instagram.com/ml4allconf

Wed, May 1, 2019 5:07pm -07:00 (liked on Wed, May 1, 2019 8:45pm -07:00) #ml4all #conference #machinelearning #appletv
at Hotel Vue

Mountain View, California • Wed, May 1, 2019 8:42pm

37.381403 -122.074277

Mountain View, CA, United States • 49°F

34 Coins

Wed, May 1, 2019 8:42pm -07:00
Taxi

3.11mi
Distance

6:41
Duration

8:30pm
Start

8:36pm
End

Mountain View, California • 49°F

Wed, May 1, 2019 8:36pm -07:00
Randall Degges https://twitter.com/rdegges • May 2
Just in case you were wondering, there is, in fact, a blockchain magazine for Australians.

ohno

Mountain View, California • 49°F

Wed, May 1, 2019 7:38pm -07:00
Eve Maler https://twitter.com/xmlgrrl

Hear, hear. Really incisive analysis from @gffletch on how relying parties look at the SSI proposition and some of the challenges in solving the last mile(s?). #iiw

Mountain View, California • 49°F

Wed, May 1, 2019 11:27pm +00:00 (liked on Wed, May 1, 2019 4:39pm -07:00) #iiw
at Computer History Museum

Mountain View, California • Wed, May 1, 2019 3:34pm

37.414456 -122.0775

Mountain View, CA, United States • 49°F

1 like 5 Coins

Wed, May 1, 2019 3:34pm -07:00
at Cloud Café

Mountain View, California • Wed, May 1, 2019 1:30pm

37.414486 -122.077605

Mountain View, CA, United States • 49°F

7 Coins

Wed, May 1, 2019 1:30pm -07:00
Nico Kaiser https://twitter.com/nicokaiser • May 1
From what I understand, the Auth Code flow (even with PKCE) needs some kind of backend in the app (i.e., no static HTML-only cross-domain SPA), or am I missing something?

If you read the post I talk about exactly that issue and provide sample code for doing auth code + PKCE entirely in JavaScript

Mountain View, California, USA • 49°F

1 reply

Wed, May 1, 2019 9:58am -07:00

older