Aaron Parecki

42°F

Brock Allen https://twitter.com/BrockLAllen • Feb 25
People are asking, when using standards compliant OIDC client libraries:

https://github.com/authts/oidc-client-ts/issues/395#issue-1149525542

why does that example have the browser sending a client secret in the request? That seems odd. Happy to continue this over on the github thread.

Portland, Oregon, USA • 34°F

2 replies

Thu, Feb 24, 2022 6:58pm -08:00
Brock Allen https://twitter.com/BrockLAllen • Feb 25
It's confusing as hell, and I'm confused by the implementation -- on the token endpoint if Origin is present, you require that the authz used PKCE? That's about the only valid approach to that I can imagine.

Yeah that's right. I agree it's super confusing and has caused some tricky issues before. It may be different in the new platform but I'd have to double check

Portland, Oregon • 34°F

4 replies

Thu, Feb 24, 2022 6:53pm -08:00
Brock Allen https://twitter.com/BrockLAllen • Feb 25
Hey @aaronpk, can you explain this help article? It makes no sense to me. TIA

https://support.okta.com/help/s/article/Browser-requests-to-the-token-endpoint-must-use-Proof-Key-for-Code-Exchange?language=en_US

Oh yeah, I remember this one. I don't remember if this is still current behavior, but basically Okta is tying to prevent browsers from using anything other than the authorization code PKCE flow. It does that by detecting the Origin header which isn't sent by server apps.

Portland, Oregon • 34°F

1 like 11 replies

Thu, Feb 24, 2022 6:50pm -08:00
Indie bookshelves - macwright.com (macwright.com)

"Check out all the stuff that Aaron Parecki has implemented to run his website. That isn’t a home on the internet, it’s a full-fledged castle. It’s damn impressive."

Thu, Feb 24, 2022 11:47am -08:00 #indieweb
Contributions from: China, France, Slovakia, United Kingdom, United States

Thu, Feb 24, 2022 11:32am -08:00
The Intersection of 69th and Dicks https://twitter.com/thesuperpapagai

Instead of whining about defund the police, cops could make all the money they would ever need by just standing near a crosswalk and ticketing every driver that fails to yeild.

Portland, Oregon • 29°F

Thu, Feb 24, 2022 2:32pm +00:00 (liked on Thu, Feb 24, 2022 6:58am -08:00)
Katie Anderson https://twitter.com/katie_panda

https://twitter.com/katie_panda/status/1496607013589204998?s=12

Portland, Oregon • 29°F

Wed, Feb 23, 2022 10:04pm +00:00 (liked on Thu, Feb 24, 2022 6:56am -08:00)
Simon Willison https://twitter.com/simonw

Just had an idea for supporting open source projects that your company uses: invite a maintainer to give a paid hour-long talk to your engineers (over Zoom), and pay them over-the-odds for doing so

Portland, Oregon • 29°F

Wed, Feb 23, 2022 7:32pm +00:00 (liked on Thu, Feb 24, 2022 6:19am -08:00)
10:19pm
Asleep

6:11am
Awake

7h 52m
Slept

21m
Awake for

Portland, Oregon, USA • 29°F

Thu, Feb 24, 2022 6:11am -08:00
Mark Tenenholtz https://twitter.com/marktenenholtz

Zillow’s home buying business lost them $500,000,000, 25% of their stock value, and 25% of their workforce.

How did this happen to a company with so much data on housing prices?

Bad model evaluation.

Here’s the fatal error they made that you must avoid when deploying models🧵

Portland, Oregon • 28°F

Tue, Feb 22, 2022 1:00pm +00:00 (liked on Wed, Feb 23, 2022 9:40pm -08:00)
Brion Vibber https://mastodon.technology/@brion

love how phishing awareness teaches us to never click a link in an email with an unknown domain, yet industry standard for bulk-mail campaigns is to send all clicks through a redirector for tracking and it's always some third god damn party you never heard of

Portland, Oregon • 38°F

Mon, Feb 21, 2022 6:38pm +00:00 (liked on Wed, Feb 23, 2022 4:19pm -08:00)
François' Blog - Generate a JSON Web Key Set from PHP for RSA Keys (www.tuxed.net)

Wed, Feb 23, 2022 3:54pm -08:00 #php #jwk #jwt #openid #oidc
Contributions from: China, France, Slovakia, United Kingdom, United States

Wed, Feb 23, 2022 1:03pm -08:00
Aaron Parecki https://aaronparecki.com/ • Feb 23
Do I know anyone involved with @LoginDotGov? I found a few (minor) issues with the OAuth/OpenID docs there https://developers.login.gov/oidc/

I didn't realize before, but their docs are open source! I just sent them a PR to fix it!

https://github.com/18F/identity-dev-docs/pull/235

Portland, Oregon, USA • 29°F

8 likes

Wed, Feb 23, 2022 11:25am -08:00
DoctorMac https://micro.blog/DoctorMac • Feb 23
@aaronpk you would use this mechanism: 18f.gsa.gov/vulnerabi...

"We accept and discuss vulnerability reports on HackerOne, via email at tts-vulnerability-reports@gsa.gov, or through the form"

HackerOne is the preferred reporting.

Thanks, it's not a security issue, just some misleading wording in the docs. I sent them a PR to fix it!

Portland, Oregon, USA • 29°F

Wed, Feb 23, 2022 11:24am -08:00
Jason Garber https://twitter.com/jgarber • Feb 23
18F manages the app. Main source repo is here: https://github.com/18F/identity-idp

Not sure if the docs are generated from there, though.

oh awesome, their docs are on there! I will just send them a PR then!

https://github.com/18F/identity-dev-docs

Portland, Oregon, USA • 29°F

1 like 1 reply

Wed, Feb 23, 2022 9:47am -08:00
Do I know anyone involved with @LoginDotGov? I found a few (minor) issues with the OAuth/OpenID docs there https://developers.login.gov/oidc/

Portland, Oregon, USA • 29°F

1 like 1 repost 6 replies

Wed, Feb 23, 2022 9:40am -08:00 #gov #openid
Roberto Blake 🇺🇸🇵🇦🗽Creative Entrepreneur https://twitter.com/robertoblake

The first 30 seconds starts with the first 10 seconds called the hook. You have 10 seconds to make a first impression, 10 more seconds to communicate some kind of value or interests, and another 10 to give them a reason to watch till they end for a pay off for watching.

Portland, Oregon • 23°F

Tue, Feb 22, 2022 3:38pm +00:00 (liked on Wed, Feb 23, 2022 7:18am -08:00)
9:38pm
Asleep

6:11am
Awake

8h 33m
Slept

10m
Awake for

Portland, Oregon, USA • 24°F

Wed, Feb 23, 2022 6:11am -08:00
Brianna Wu https://twitter.com/BriannaWu

Wordle is fundamentally a game about executing an algorithm. If you find yourself regularly scoring five or six, The problem isn’t Wordle - it’s your strategy.

There are plenty of videos out there showing you which first guesses yield high levels of data. I use SALET then CRONY

Portland, Oregon • 24°F

Wed, Feb 23, 2022 1:21pm +00:00 (liked on Wed, Feb 23, 2022 6:08am -08:00)

older