Aaron Parecki

62°F

Contributions from: Belgium, Czech Republic, Finland, India, Kuwait, Netherlands, Switzerland, Turkey, United Kingdom, United States, Vietnam

Thu, Oct 26, 2023 10:03pm -07:00
Ryan Barrett https://snarfed.org/

Following the Not So Online

Portland, Oregon • 44°F

Wed, Oct 25, 2023 8:47pm -07:00 (liked on Thu, Oct 26, 2023 7:28pm -07:00)
Ride

1.25mi
Distance

6:53
Duration

1:17pm
Start

1:24pm
End

Portland, Oregon • 47°F

Thu, Oct 26, 2023 1:24pm -07:00
Contributions from: Belgium, Czech Republic, Finland, India, Kuwait, Netherlands, Switzerland, Turkey, United Kingdom, United States, Vietnam

Thu, Oct 26, 2023 1:02pm -07:00
Aaron Ogle https://fosstodon.org/@geekgonecrazy • Oct 26
@aaronpk is pkce used very often? When I was initially implementing pkce in a few cli tools I didn’t see a lot of people talking about it. Most people I talk to are familiar with oauth but you mention pkce and they don’t know it

CLI tools are a bit of a special case, but if you're using the auth code flow with a CLI client, then you should also definitely use PKCE.

Portland, Oregon • 43°F

Thu, Oct 26, 2023 9:21am -07:00
Aaron Ogle https://fosstodon.org/@geekgonecrazy • Oct 26
@aaronpk is pkce used very often? When I was initially implementing pkce in a few cli tools I didn’t see a lot of people talking about it. Most people I talk to are familiar with oauth but you mention pkce and they don’t know it

It's used pretty often, but apparently not as often as it should. There's no excuse for not using it these days, that's why it's not called PKCE in OAuth 2.1, it's just built in to the authorization code flow.

Portland, Oregon • 43°F

Thu, Oct 26, 2023 9:08am -07:00
Aaron Parecki https://aaronparecki.com/ • Oct 26
This is a good writeup on some sneaky vulnerabilities in OAuth implementations, but ultimately is just a simple access token injection attack: https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts

tl;dr: Don't accept access tokens in your redirect URI (don't use the implicit flow)

PKCE solves this attack and is enforced by the server rather than relying on client developers to "verify the access token" as described in the post

Portland, Oregon, USA • 42°F

4 likes 2 reposts 1 reply

Thu, Oct 26, 2023 8:51am -07:00 #oauth
This is a good writeup on some sneaky vulnerabilities in OAuth implementations, but ultimately is just a simple access token injection attack: https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts

Portland, Oregon, USA • 42°F

6 likes 8 reposts 2 replies 1 mention

Thu, Oct 26, 2023 8:50am -07:00 #oauth
8:35pm
Asleep

5:04am
Awake

8h 29m
Slept

22m
Awake for

Portland, Oregon, USA

Thu, Oct 26, 2023 5:04am -07:00
Nachos

Portland, Oregon, USA • 44°F

Wed, Oct 25, 2023 7:25pm -07:00
Paul Robert Lloyd https://paulrobertlloyd.com/ • Oct 25

A cohesive and unified identity for IndieWeb protocols

These are really great! I like what you've done here!

Portland, Oregon, USA • 46°F

Wed, Oct 25, 2023 12:21pm -07:00
Paul Robert Lloyd https://paulrobertlloyd.com/

A cohesive and unified identity for IndieWeb protocols

Portland, Oregon • 46°F

Wed, Oct 25, 2023 7:45pm +01:00 (liked on Wed, Oct 25, 2023 12:18pm -07:00) #brand_identity #design #indieweb
179.9lbs
Weight

25.1%
Body Fat

Portland, Oregon

Wed, Oct 25, 2023 11:15am -07:00
9:41pm
Asleep

6:07am
Awake

8h 26m
Slept

43m
Awake for

Portland, Oregon, USA

Wed, Oct 25, 2023 6:07am -07:00
Tantek Çelik http://tantek.com/

@shanselman@hachyderm.io thanks for the invitation! Chatting about #POSSE and #IndieWeb techniques in general sounds like fun — let’s do it

Portland, Oregon • 47°F

Tue, Oct 24, 2023 4:38pm -07:00 (liked on Tue, Oct 24, 2023 8:41pm -07:00) #POSSE #IndieWeb
Veggie Pizza

Portland, Oregon, USA • 47°F

Tue, Oct 24, 2023 7:32pm -07:00
Contributions from: Belgium, Czech Republic, Denmark, Finland, India, Kuwait, Netherlands, Switzerland, Turkey, United Kingdom, United States, Vietnam

Tue, Oct 24, 2023 2:55pm -07:00
9:44pm
Asleep

6:12am
Awake

8h 28m
Slept

22m
Awake for

Portland, Oregon, USA • 49°F

Tue, Oct 24, 2023 6:12am -07:00
The deadline to submit drafts ahead of the IETF meeting in November just passed, and I submitted my last one with 30 minutes to spare! Here are all the docs I'll be discussing:

https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html

https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-01.html

https://www.ietf.org/archive/id/draft-parecki-oauth-first-party-apps-00.html

https://www.ietf.org/archive/id/draft-parecki-oauth-metadata-for-nested-flows-00.html

Portland, Oregon, USA

6 likes 3 reposts 1 reply 1 mention

Mon, Oct 23, 2023 5:15pm -07:00 #oauth #ietf
Contributions from: Belgium, Czech Republic, Finland, India, Kuwait, Netherlands, Switzerland, Turkey, United Kingdom, United States, Vietnam

Mon, Oct 23, 2023 12:45pm -07:00

older