64°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • Anders Pitman https://twitter.com/anderspitman   •   Jan 23
    I'm imagining a world where email servers handle identity, and authorization servers handle delegation, after confirmation ownership over the email identity.
    Aaron Parecki
    ‪While that sounds nice in theory, the real world is more complicated. Apple's OAuth server is a great example. User IDs are scoped to the app to prevent cross correlation, and the app gets a proxy email instead of the user's real email. Users don't always want to be identified.‬
    Portland, Oregon • 48°F
    Wed, Jan 22, 2020 4:33pm -08:00
  • Anders Pitman https://twitter.com/anderspitman   •   Jan 23
    Don't get me wrong, I think URLs for client IDs is a great idea, which I intend to use. I'm just less sold on URLs for user IDs. Everyone already has email addresses, and they also come with a relatively reliable protocol for contacting the owner.
    Aaron Parecki
    I was trying to say feel free to pick and choose and use just the client ID part. I think that'd be a huge benefit for OAuth as a whole for the exact kind of use case you're talking about.
    Portland, Oregon • 48°F
    1 like
    Wed, Jan 22, 2020 4:29pm -08:00
  • Anders Pitman https://twitter.com/anderspitman   •   Jan 23
    Ahhh that's what IndieAuth is. I was reading up on it, but didn't see any information about the spec on the website. I think my main hesitance towards it is the use of domains. I just don't see the average user buying their own domain. Emails seems more realistic for unique IDs.
    Aaron Parecki
    ‪Doesn't have to be a top level domain, just a URL. Both users and apps are identified by URLs. ‬

    ‪I do think there's value in just client IDs being URLs in some cases, demonstrated by the fact that Home Assistant picked out just that part of the spec for their OAuth API.‬
    Portland, Oregon • 48°F
    5 replies
    Wed, Jan 22, 2020 4:21pm -08:00
  • Anders Pitman https://twitter.com/anderspitman   •   Jan 22
    have their own custom domain for their instance, hosting an auth server. If someone wants to develop an app to talk to my service, they would have to register it with the instance of every user, which is impossible. Am I missing something? 2/2
    Aaron Parecki
    You're not wrong.

    You may want to give this a read, which addresses that exact problem: https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web

    We use this a lot for the case you're talking about, where app developers have no relationship with the OAuth service the app is talking to.
    Portland, Oregon, USA
    1 like 1 reply
    Wed, Jan 22, 2020 3:18pm -08:00
  • nystudio107 https://twitter.com/nystudio107   •   Jan 22
    Ironically, I have no microformat code on the site. It's pulling that from the JSON-LD "sameAs" URLs, I presume.
    Aaron Parecki
    Microformats != Microdata

    https://microformats.io

    tbh I also can't stand the itemprop= itemscope= stuff, it's so messy. That's why I like the Microformats approach instead.
    Portland, Oregon • 46°F
    Wed, Jan 22, 2020 9:17am -08:00
  • Chris Ferdinandi ⚓️ https://twitter.com/ChrisFerdinandi   •   Jan 22
    "Do what Google says" means we should all build shitty AMP sites, too.
    Aaron Parecki
    a perfect example 😂
    Portland, Oregon • 46°F
    Wed, Jan 22, 2020 9:10am -08:00
  • nystudio107 https://twitter.com/nystudio107   •   Jan 22
    Correct, but spun off as a neutral standard, as has happened for many of the technologies that we're using today.

    Regardless, Google is consuming only JSON-LD going forward for some types of structured data, so it'll end up being a choice you have to make at some point.
    Aaron Parecki
    Like I said already, only if you care about SEO. If SEO is your goal, you do what Google says. There's plenty of uses of structured data outside of that (including the tools that I use to read and post to Twitter) which are easier done using Microformats
    Portland, Oregon • 45°F
    2 likes
    Wed, Jan 22, 2020 8:58am -08:00
  • nystudio107 https://twitter.com/nystudio107   •   Jan 22
    This implies http://schema.org is invented by Google; it isn't.

    "Since April 2015, the W3C http://Schema.org Community Group is the main forum for schema collaboration, and provides the public-schemaorg@w3.org mailing list for discussions."

    http://schema.org/docs/about.html
    Aaron Parecki
    Literally on http://schema.org... "Founded by Google, Microsoft, Yahoo and Yandex..." and look at the names on their about page too. Even if it's not created exclusively by them (which I never said), that looks an awful lot like an oligopoly to me anyway.
    Portland, Oregon • 45°F
    2 replies
    Wed, Jan 22, 2020 8:54am -08:00
  • Aaron Bradley https://twitter.com/aaranged   •   Jan 22
    What Google sayx. And Bing. And Yahoo. And Yandex.

    But if all you care about is SEO by all means use what you perceive as the flavor of the day. But if you also care about a robust, developer-friendly, serialization format for linked data then JSON-LD is there for you.
    Aaron Parecki
    Frankly "linked data" is not a priority for me. There's plenty of useful structured data that is not LD, and tbh most developers who use JSON-LD don't even know about the LD part, they just copy the examples and wonder why they have "@context" everywhere
    Portland, Oregon • 46°F
    Wed, Jan 22, 2020 8:43am -08:00
  • nystudio107 https://twitter.com/nystudio107   •   Jan 22
    Unless I'm missing something, this chart is lacking 2017, 2018, 2019, as well as 2020. Google is strongly recommended JSON-LD usage today, and has been since 2016-ish.

    And there are a number of rich snippets that _only_ work as JSON-LD.

    https://developers.google.com/search/docs/guides/intro-structured-data
    Aaron Parecki
    Yes, read the linked post, it's from 2016
    Portland, Oregon • 46°F
    4 replies
    Wed, Jan 22, 2020 8:41am -08:00
  • Aaron Bradley https://twitter.com/aaranged   •   Jan 22
    I know that you're a huge microformats fan Kevin, but among other things: 1) they're not remotely expressive enough for contemporary structured data requirements; 2) they're HTML-bound, meaning you can't provide data like this https://developers.google.com/actions/media/how-to/create-a-feed
    Aaron Parecki
    If all you care about is SEO then do whatever Google says to do this year and you're fine. Today that's JSON-LD, tomorrow it's ???? I need to update this chart for 2020 but as we see, history keeps repeating itself. https://aaronparecki.com/2016/12/17/8/owning-my-reviews#historical-recommendations
    Portland, Oregon, USA
    1 like 2 reposts 4 replies
    Wed, Jan 22, 2020 8:35am -08:00
  • Aaron Bradley https://twitter.com/aaranged   •   Jan 22
    I know that you're a huge microformats fan Kevin, but among other things: 1) they're not remotely expressive enough for contemporary structured data requirements; 2) they're HTML-bound, meaning you can't provide data like this https://developers.google.com/actions/media/how-to/create-a-feed
    Aaron Parecki
    You might be surprised what you can do with Microformats...

    https://aaronparecki.com/2018/03/12/17/building-an-indieweb-reader

    Even this tweet originated from my own website using tools built on Microformats.
    Portland, Oregon • 46°F
    3 likes 2 reposts 1 reply
    Wed, Jan 22, 2020 8:31am -08:00
  • K. Mike Merrill https://twitter.com/kmikeym   •   Jan 22
    Like Netflix I also use my own private internal measurement that I only occasionally release for stats and yesterday I had 87,000,000,000 views on my website. https://buff.ly/30HVBXk
    Aaron Parecki
    the guy that runs your website must be really good
    Portland, Oregon • 45°F
    1 like
    Wed, Jan 22, 2020 7:10am -08:00
  • Henrique Dias https://hacdias.com/   •   Jan 22

    Hey Aaron! What software/library are you using to generate those maps with your location? Can they be considered heat maps? And what about the animated video?

    Aaron Parecki
    It's all a giant pile of PHP code I wrote ages ago, it's not even map-projection-aware it just plots on a 2D canvas. The animation is basically a timelapse of a bunch of frames of that same script played in a row.
    Portland, Oregon • 45°F
    1 reply
    Wed, Jan 22, 2020 5:25am -08:00
  • Dave Maze https://twitter.com/davemaze   •   Jan 21
    nice! i’m sure you learn stuff from work that you can utilize for your personal.
    Aaron Parecki
    so far it's been mostly the other way around, but mainly because I did a big push on my personal channel while on PTO in December 😄 which paid off cause I went from 200 to 1500 subscribers in like 7 weeks 🎉
    Portland, Oregon • 47°F
    Tue, Jan 21, 2020 4:02pm -08:00
  • Anders Pitman https://twitter.com/anderspitman   •   Jan 21
    What do you think would be fragile about my approach? Giving the client control over the random value?
    Aaron Parecki
    by "fragile" I mean things like vulnerable to popup blockers, popups are bad UX on mobile browsers, etc.
    Portland, Oregon • 47°F
    Tue, Jan 21, 2020 3:59pm -08:00
  • Anders Pitman https://twitter.com/anderspitman   •   Jan 21
    That's interesting. After a quick review, it does seem pretty similar. Why the timeout polling instead of long polling? Does the spec dictate what back-channel you send the user to?
    Aaron Parecki
    The spec has a way the AS can provide a URL that the user should visit to the app. So the app has to get the user to that URL somehow, doesn't matter how, and doesn't matter what that URL is.
    Portland, Oregon • 47°F
    1 reply
    Tue, Jan 21, 2020 3:58pm -08:00
  • Anders Pitman https://twitter.com/anderspitman   •   Jan 21
    Why not open a new tab for interacting with the auth server, while simultaneously opening a back channel request in the original session? Once the user has authenticated/authorized from the new tab, the back channel request would resolve. 2/
    Aaron Parecki
    There's also a new draft, Pushed Authorization Requests, which moves a bunch of the fragile bits out of the front channel. Similar but slightly different goal. https://tools.ietf.org/id/draft-lodderstedt-oauth-par-00.html
    Portland, Oregon, USA
    Tue, Jan 21, 2020 11:05am -08:00
  • Anders Pitman https://twitter.com/anderspitman   •   Jan 21
    Why not open a new tab for interacting with the auth server, while simultaneously opening a back channel request in the original session? Once the user has authenticated/authorized from the new tab, the back channel request would resolve. 2/
    Aaron Parecki
    That's basically what the Device Flow is, except manual. You certainly could do that. I suspect it would be fragile at best though, and wouldn't work well in mobile browsers.
    Portland, Oregon, USA
    4 replies
    Tue, Jan 21, 2020 11:04am -08:00
  • Jamie Tanna https://www.jvt.me   •   Jan 21

    PHP in 2020

    Aaron Parecki
    That is a really good summary! I learned a few things, I haven't really used any of the new features in 7.3+!
    Portland, Oregon • 45°F
    Tue, Jan 21, 2020 8:51am -08:00
older

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv