@aaronpk sure, drop me an email (see my website in bio) and we can arrange a call.
WeChat ID
aaronpk_tv
-
Emelia πΈπ»
https://hachyderm.io/@thisismissem
•
May 16
@aaronpk am I understanding that in order to use FedCM the RP must perform dynamic client registration with the IdP? I'm unsure of how the `client_id` comes to exist for the RP and not really getting it for the first-sign-in flow?
I just saw your comment on FedCM #585. Since you're diving into the depths of Mastodon OAuth already I'd love to talk about how we can better align IndieAuth OAuth and Mastodon OAuth! -
Emelia πΈπ»
https://hachyderm.io/@thisismissem
•
May 16
@aaronpk am I understanding that in order to use FedCM the RP must perform dynamic client registration with the IdP? I'm unsure of how the `client_id` comes to exist for the RP and not really getting it for the first-sign-in flow?
It has nothing to do with FedCM actually. In IndieAuth we avoid client registration entirely by using URLs as client identifiers. So the client already knows its client ID, and uses the same client ID at every authorization server it talks to. It's also a natural fit for FedCM since you can use `window.location.origin` for it in the JS call. -
-
-
-
KimberlyHirsh
https://micro.blog/KimberlyHirsh
•
May 15
@aaronpk This is great advice but anyone who tried it for me would be sorely disappointed by the extreme lack of refund.
I have bad news, they just make up whatever numbers they want so that it comes out to getting a refund on your behalf π -
Pro tip: if you file taxes in the US, go get yourself an IRS PIN so someone can't fraudulently file taxes using your SSN trying to get your tax refund deposited in their account. Ask me how I know.
https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin -
“Copay accumulators” put patients in middle of battle between insurers and drugmakers (www.marketplace.org)
-
Prescription benefit manager move into drugmaking draws scrutiny - Marketplace (www.marketplace.org)
-
Thanks! There's currently no browser API that guarantees the use of secure-element-stored private keys. The best we get now is non-exportable. There's a mention of that here https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps#section-6.3.4.2.2 But as discussed, even hardware-backed keys don't prevent an attacker from starting their own flow in the browser with their own keys.
-
Thanks! Mostly I'm doing German so I don't completely forget everything I learned in school.
-
-
I've been looking forward to this day for a long time
-
I don't mean to brag, but
