60°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • Darius Kazemi https://friend.camp/@darius   •   Jun 8

    I'd like to self-host a single mailing list that is never going to have more than about 25 people on it. Is there a dead-simple thing (wayyy simpler than Mailman) that will just.... alias something like thelist@tinysubversions.com to CC 25 different email addresses?

    It doesn't need a public or even private archive messages. It's just for a small group of friends who want to stay in touch.

    Aaron Parecki
    I do this with simple mail forwarding rules at my web host. It doesn't have any "mailing list" features like showing archives, all it does it forward to a handful of addresses, but it's excellent at that and requires no maintenance.
    Portland, Oregon
    1 reply
    Sat, Jun 8, 2019 11:16am -07:00
  • rabble https://twitter.com/rabble   •   Jun 8
    I hope I’m wrong. Looking at the ui it shows users being able to not provide it but I can’t find info in the code about that.
    Aaron Parecki
    Their docs are wrong in a few places and are missing a lot of info.
    Portland, Oregon, USA
    1 like
    Fri, Jun 7, 2019 5:10pm -07:00
  • rabble https://twitter.com/rabble   •   Jun 7
    @aaronpk Am i correct in reading through the apple sign in that they're protecting the privacy of your email address with a proxy but then giving everybody who asks for it your full legal name?
    Aaron Parecki
    They actually have a way you can edit the name that's sent back to the app!
    Portland, Oregon, USA
    2 likes 1 reply
    Fri, Jun 7, 2019 5:08pm -07:00
  • Rory Macdonald https://twitter.com/tworymacdonald   •   Jun 7
    Nice write up πŸ‘ Did you find the anti-fraud Real User Indicator capability surfaced using JS API? Available as credential.realUserStatus property in native.
    Aaron Parecki
    Nope, haven't found that yet! It's missing from their docs too. I'm going to keep playing with it though.
    Portland, Oregon
    1 like
    Fri, Jun 7, 2019 12:39pm -07:00
  • David Waite https://twitter.com/dwaite   •   Jun 6
    @aaronpk Most surprisingly interesting thing I got from https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple - you managed to get http://example-app.com
    Aaron Parecki
    πŸ˜‚πŸ˜‚πŸ˜‚ Yep I use it in my book and I've also been using it for testing out redirect URIs in workshops and stuff!
    Portland, Oregon
    1 reply
    Thu, Jun 6, 2019 4:46pm -07:00
  • Wizages - Sam Patzer https://twitter.com/Wizages   •   Jun 6
    Just for the uniqueid. Verify that the uniqueid is not modified.
    Aaron Parecki
    verify where? The unique ID comes back in the ID token not the access token. (also happy to take this to DM)
    Portland, Oregon
    Thu, Jun 6, 2019 4:20pm -07:00
  • Wizages - Sam Patzer https://twitter.com/Wizages   •   Jun 6
    So talked with the Apple engineers here at WWDC:
    They don't have that endpoint, they also will not expose user_info or a revocation endpoint. The user_info will only be sent once and only once then you will only get a unique id again. Only scopes available now are name and email
    Aaron Parecki
    Another question, if there is no `user_info` endpoint, what are the access token and refresh tokens for?
    Portland, Oregon
    1 reply
    Thu, Jun 6, 2019 4:18pm -07:00
  • Wizages - Sam Patzer https://twitter.com/Wizages   •   Jun 6
    Yep. That seems like a bug. If you forget it well you are left without it. You should be able to request new scopes...
    Aaron Parecki
    Progress! I now get the screen which lets me edit my name and choose the email to share. I only see that the first time, all subsequent requests show a confirmation only.

    Still no luck actually getting the email address back in the ID token though.
    Portland, Oregon
    1 like
    Thu, Jun 6, 2019 4:07pm -07:00
  • Wizages - Sam Patzer https://twitter.com/Wizages   •   Jun 6
    That is not a bug that is feature. They told me they will only give you the info once. Probably why scope won’t matter after your first invoke.
    Aaron Parecki
    I will go test this out with new app credentials though to confirm. Thanks for the lead!
    Portland, Oregon
    1 like
    Thu, Jun 6, 2019 3:28pm -07:00
  • Wizages - Sam Patzer https://twitter.com/Wizages   •   Jun 6
    That is not a bug that is feature. They told me they will only give you the info once. Probably why scope won’t matter after your first invoke.
    Aaron Parecki
    interesting. well the bug is that I have *never* gotten it, because I didn't request it the first time, and now I can't request it ever again.
    Portland, Oregon
    1 reply
    Thu, Jun 6, 2019 3:28pm -07:00
  • Wizages - Sam Patzer https://twitter.com/Wizages   •   Jun 6
    So talked with the Apple engineers here at WWDC:
    They don't have that endpoint, they also will not expose user_info or a revocation endpoint. The user_info will only be sent once and only once then you will only get a unique id again. Only scopes available now are name and email
    Aaron Parecki
    Just verified again, and I don't get back name or email address when I request "name email" scope.

    I did find a bug where apparently Apple is ignoring the "scope" parameter after the very first time you authorize an app though, so could be related.
    Portland, Oregon
    3 replies
    Thu, Jun 6, 2019 2:26pm -07:00
  • Wizages - Sam Patzer https://twitter.com/Wizages   •   Jun 6
    So talked with the Apple engineers here at WWDC:
    They don't have that endpoint, they also will not expose user_info or a revocation endpoint. The user_info will only be sent once and only once then you will only get a unique id again. Only scopes available now are name and email
    Aaron Parecki
    Brilliant, thanks for the info!

    Have you been able to successfully request name and email scope yet? It wasn't working in my testing.
    Portland, Oregon
    Thu, Jun 6, 2019 2:22pm -07:00
  • mefarazath https://github.com/mefarazath   •   Jun 6

    #1 Having 'scope' parameter in the authorization request seems to cause login failures

    Aaron Parecki
    Thank you! You helped me track down a deeper problem!

    It turns out that you're right, having `scope` in the request causes Apple to return a 500 server error when confirming the login on their site before it redirects back to the app.

    **However**, the really weird part is that Apple apparently completely ignores the `scope` parameter the second time you log in to an app, so there is no error.

    The very first time I logged in to an app while testing this code I didn't include the `scope` parameter, so it worked. Then I added the parameter to see if I could get it to return an email address, and it didn't. It also didn't fail, because I had already logged in once.

    I was having trouble logging in with a new App ID I created, and this is the reason! I just tried removing the scope from my attempt and now I'm able to log in with new App IDs.

    This is very inconsistent behavior by Apple, so I hope they fix it later.
    Portland, Oregon, USA
    Thu, Jun 6, 2019 12:29pm -07:00
  • Tim Ysewyn @ πŸ‡§πŸ‡ͺ🏠 https://twitter.com/TYsewyn   •   Jun 6
    Why should the role be in the token if you have the userinfo endpoint? Or why should there even be a (list of) role(s) in the token if it’s only a means to have access to an endpoint? πŸ€”
    Aaron Parecki
    Some people like to use JWTs for access tokens or other self-encoded mechanisms. There are definitely trade-offs.
    Portland, Oregon
    Thu, Jun 6, 2019 12:20pm -07:00
  • https://rhiaro.co.uk/ https://toot.cat/@rhiaro   •   Jun 6

    I once bought into the "if you don't post to your own website you don't have anything valuable to offer on technology" theory but eventually realised there are other things in tech and, shock horror, even the Web, than posting on your own website. I still see it being thrown around as an excuse to dismiss out of hand work that people don't understand immediately and find directly relevant to their specific needs though.

    Posting this on my own website, so it must be true. https://rhiaro.co.uk/2019/06/theory

    Aaron Parecki
    echoing the rest of that conversation, I think the larger point is the inverse.

    If you *only* post your thoughts about decentralization on platforms that actively work against decentralization and cause real-world harm to people, then maybe it's okay to ignore those thoughts.
    Portland, Oregon
    Thu, Jun 6, 2019 12:17pm -07:00
  • Stephan https://twitter.com/Stephan007   •   Jun 6
    Nice write up! Question: if an authenticated user gets a new/extra role, does the server create a new JWT or is there a way to update the existing token?
    Aaron Parecki
    if your access tokens are just a reference to a record in a database (the hotel key is just a number, and the doors look up access info in a central server), then you can update the roles in the existing token.
    Portland, Oregon
    Thu, Jun 6, 2019 12:13pm -07:00
  • Stephan https://twitter.com/Stephan007   •   Jun 6
    Nice write up! Question: if an authenticated user gets a new/extra role, does the server create a new JWT or is there a way to update the existing token?
    Aaron Parecki
    The analogy continues... with JWT access tokens, that's like encoding access data into the hotel key card. You'd have to go back to the front desk to get a new card.
    Portland, Oregon
    Thu, Jun 6, 2019 12:12pm -07:00
  • Stephan https://twitter.com/Stephan007   •   Jun 6
    Nice write up! Question: if an authenticated user gets a new/extra role, does the server create a new JWT or is there a way to update the existing token?
    Aaron Parecki
    The answer is it depends on how your access tokens / hotel key cards are implemented!
    Portland, Oregon
    Thu, Jun 6, 2019 12:11pm -07:00
  • Wizages - Sam Patzer https://twitter.com/Wizages   •   Jun 6
    Do you know where you can find the .well-known/openid-configuration on the apple url?
    Do they even use it?
    Aaron Parecki
    I haven't found it yet. I wouldn't be surprised if they just don't have that endpoint
    Portland, Oregon
    1 like 4 replies
    Thu, Jun 6, 2019 10:46am -07:00
  • Gokul Thirumalai https://twitter.com/gokult   •   Jun 5
    Thanks Alex. Where do you see the biggest gap that will help you push forward?
    Aaron Parecki
    The docs are also wrong in a few places. Happy to provide details via DM or email.
    Portland, Oregon, USA
    Wed, Jun 5, 2019 4:45pm -07:00
older

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • πŸŽ₯ YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • βš™οΈ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv