Aaron Parecki

The first law of OAuth states that the total number of authorized access tokens must remain constant in an isolated system.

This post will show you step by step how you can let people log in to your website with their own IndieAuth website so you don't need to worry about user accounts or passwords.

Over the last year, I've helped thousands of software developers learn about OAuth by hosting live and virtual workshops, and all this knowledge is now available as an on-demand video course!

This year, the IndieWeb community has been making progress on iterating and evolving the IndieAuth protocol. IndieAuth is an extension of OAuth 2.0 that enables it to work with personal websites and in a decentralized environment.

The zero-day bug in Sign In with Apple actually had nothing to do with the OAuth or OpenID Connect part of the Sign In with Apple exchange, and very little to do even with JWTs. Let's take a closer look to see what actually happened.

Trying to understand OAuth often feels like being trapped inside a maze of specs, trying to find your way out, before you can finally do what you actually set out to do: build your application.

Now is your chance to join and ask me your OAuth questions!

The new draft spec at OAuth.xyz outlines a potential way to completely re-think OAuth from the ground up.

tl;dr This is a good move for users in the iOS ecosystem, and is primarily designed as an alternative for apps that currently use "Sign in with [Facebook/Twitter/Google]" to avoid leaking sensitive user info.

OAuth has become the de facto standard for authorization and authentication on the web. Nearly every company with an API used by third party developers has implemented OAuth to enable people to build apps on top of it.

It's been a long time coming, but I've finally published a proper IndieAuth spec!

This evening, Tantek pointed out to me that while he was logging in to the wiki via IndieAuth.com for the first time on a new computer, there was something a little strange about the IndieAuth.com flow...

While OAuth 2.0 is a good framework for building an API, the spec itself leaves many things un-specified, and it's up to the implementer to make a decision based on their own security requirements. As such, most OAuth 2.0 implementations are not interoperable, which is often cited as a failure of OAuth 2.0. On the other hand, the current state of OAuth 2.0 implementations is that they are often similar enough that developers don't need to learn too many new concepts when dealing with them.

Back in the early days of Twitter, I noticed that several tweets I was seeing showed "via _____" next to the date, which linked to the application that was used to post the tweet. I thought "hey that's a clever way to give credit to applications" and thought it would be a good way to get people to discover the Twitter app I was creating at the time.