60°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • Jerry Gamblin https://twitter.com/JGamblin   •   May 31
    Ok... what would you call it then?
    Aaron Parecki
    lack of form validation
    Portland, Oregon • 58°F
    1 like
    Sun, May 31, 2020 11:12am -07:00
  • Jerry Gamblin https://twitter.com/JGamblin   •   May 31
    Yep, I realized that after I posted and made a clarifying post in the thread, which you should have saw?
    Aaron Parecki
    I should have replied to that one. It’s barely a logic bug using JWT. I’m writing up more details in a blog post, will post a link shortly.
    Portland, Oregon • 58°F
    2 replies
    Sun, May 31, 2020 11:11am -07:00
  • Jerry Gamblin https://twitter.com/JGamblin   •   May 30
    Interesting JWT vulnerability. https://bhavukjain.com/blog/2020/05/30/zeroday-signin-with-apple/
    Aaron Parecki
    This has almost nothing to do with JWTs, or even OpenID Connect for that matter.
    Portland, Oregon • 58°F
    2 likes 4 replies
    Sun, May 31, 2020 11:06am -07:00
  • Vinod Anandan https://twitter.com/_VinodAnandan   •   May 31
    Yes, thank you. I agree that RP should be simple and IdP should be handling the complexity. AFAIU, the OIDC spec is clear about the email_verified attribute.
    Aaron Parecki
    The original post didn’t make this clear, so I’m writing a new post to hopefully better explain the problem. You’ll see that it has nothing to do with OIDC at all. Link coming shortly, I hope.
    Portland, Oregon • 55°F
    2 replies
    Sun, May 31, 2020 9:36am -07:00
  • Vinod Anandan https://twitter.com/_VinodAnandan   •   May 31
    My point is that OIDC has mechanisms to prevent this issue..
    Aaron Parecki
    Please go read it again and understand the problem
    Portland, Oregon • 54°F
    4 replies
    Sun, May 31, 2020 7:32am -07:00
  • Vinod Anandan https://twitter.com/_VinodAnandan   •   May 31
    "email_verified" : "True if the End-User's e-mail address has been verified; otherwise false....."

    https://openid.net/specs/openid-connect-core-1_0.html
    Aaron Parecki
    Go read the writeup again. The original post wasn't the clearest explanation of the problem but I also posted some more details in this thread that make it clearer.
    Portland, Oregon • 54°F
    6 replies
    Sun, May 31, 2020 7:28am -07:00
  • Vinod Anandan https://twitter.com/_VinodAnandan   •   May 31
    "The OpenID Foundation enables deployments of OpenID Connect and the Financial-grade API (FAPI) Read/Write Profile to be certified to specific conformance profiles to promote interoperability among implementations.... "

    https://openid.net/certification/
    Aaron Parecki
    And? certification wouldn't have caught this bug since it wasn't a problem with the OIDC part of the exchange.
    Portland, Oregon • 54°F
    Sun, May 31, 2020 7:22am -07:00
  • Barbara Schachner https://twitter.com/barschachner   •   May 31
    Fully agree to that 😀

    Just looking also at examples like https://insomniasec.com/blog/auth0-jwt-validation-bypass or https://threatpost.com/microsoft-oauth-flaw-azure-takeover/150737/.
    o/c they are different + very individual, but if already the big players have such issues, how much more can go wrong on RS side where devs are usually not Auth experts.
    Aaron Parecki
    Yes! And that is *exactly* why I always advocate for pushing the complexity to the authorization server and keeping the client side simple. Fewer options for clients means fewer ways to mess it up, and there will always be more client developers than AS developers.
    Portland, Oregon • 54°F
    2 likes
    Sun, May 31, 2020 6:43am -07:00
  • Arif Yayalar 💛❤️🦁 https://twitter.com/ayayalar   •   May 30
    @aaronpk little disappointed that you sell pdf/ePub editions of OAuth 2.0 Simplified separately.
    Aaron Parecki
    Yeah it's mainly a technical limitation of the platform we used for publishing it. If you send me a receipt, I'll send you the other format!
    Portland, Oregon • 54°F
    Sun, May 31, 2020 6:05am -07:00
  • Barbara Schachner https://twitter.com/barschachner   •   May 31
    I feel logical bugs around OAuth/OIDC/JWT handling are on the rise - and they are like the login form SQL injections of the past („be whoever you want to be“).
    Love those standards and their capabilities - but are they getting too complicated?
    Aaron Parecki
    Nah this is more a demonstration of why sticking to standards is a good idea, and why building an authorization server isn't a project that should be taken lightly.
    Portland, Oregon • 54°F
    1 like 12 replies
    Sun, May 31, 2020 5:59am -07:00
  • Aaron Parecki https://aaronparecki.com/   •   May 31
    It's the handler that responds to the "Continue" form post on this screen. Instead of a Boolean, the client sent back the actual email address and the server accepted arbitrary values.
    Aaron Parecki
    Now that I'm writing this out, I realize that the client also sends back the "name" here, intentionally, since the name is user-editable. So I can see how this happened. It's just extremely poor coding practice to essentially also allow the email to be editable here.
    Portland, Oregon • 54°F
    2 likes
    Sun, May 31, 2020 5:45am -07:00
  • Torsten Lodderstedt https://twitter.com/tlodderstedt   •   May 31
    But it’s exposed to the client and did accept arbitrary values, right?
    Aaron Parecki
    It's the handler that responds to the "Continue" form post on this screen. Instead of a Boolean, the client sent back the actual email address and the server accepted arbitrary values.
    Portland, Oregon • 54°F
    1 reply
    Sun, May 31, 2020 5:42am -07:00
  • Torsten Lodderstedt https://twitter.com/tlodderstedt   •   May 31
    But it’s exposed to the client and did accept arbitrary values, right?
    Aaron Parecki
    Yea, it's just not part of the OAuth API. It's more like bad logic on the internal implementation of the AS.
    Portland, Oregon • 54°F
    2 likes 17 replies
    Sun, May 31, 2020 5:39am -07:00
  • Torsten Lodderstedt https://twitter.com/tlodderstedt   •   May 31
    if I understand correctly, the token request accepted an alternative email claim value and used it to override the value on Apple’s IDP. Really?
    Aaron Parecki
    If I'm reading it right it's not the token endpoint, it's their internal API for accepting the request that let the user choose which email to share with the app. So it's a form validation problem.
    Portland, Oregon • 54°F
    22 replies
    Sun, May 31, 2020 5:36am -07:00
  • Josh Long (龙之春, जोश, Джош Лонг, جوش لونق) https://twitter.com/starbuxman   •   May 31
    2020 has been a bumpy ride over here in America.

    * a global pandemic killing 100,000+ Americans? Check.
    * race-wars spilling into the streets? Check.

    And it's not even June.
    Aaron Parecki
    Don't worry, there's still time for the earthquake
    Portland, Oregon • 54°F
    Sat, May 30, 2020 11:51pm -07:00
  • Adam Avenir https://twitter.com/adamavenir   •   May 31
    Still *somehow* I’m hopeful that the 2030s will be better than we can ever imagine them right now. Lots of pain between now and then and lots more work to be done.
    Aaron Parecki
    Not even 6 months into the 2020s and we've already written off the entire decade 😂😭 is that the point we're at right now
    Portland, Oregon • 54°F
    1 like
    Sat, May 30, 2020 10:34pm -07:00
  •    sonicrocketman https://pine.blog/u/sonicrocketman   •   May 30

    Oh Aaron! It is done!

    Aaron Parecki
    oh awesome!!
    Portland, Oregon • 63°F
    1 reply
    Sat, May 30, 2020 2:03pm -07:00
  • Steve Ivy   •   May 30

    Calling all blog/CMS nerds: many of our systems have an idea of a “day” worth of content: archives, dialy digests, etc. My question is: what defines the current “day”? Is it from my perspective as the author? The reader’s? What about email digests?

    Aaron Parecki
    I've decided a "day" is my day, local time. That means if I travel to another timezone, the day might change in weird ways. You can see some of the side effects of this on my day archive pages when I've traveled across the date line. Some days are super long, others have almost no posts.
    Portland, Oregon • 65°F
    Sat, May 30, 2020 1:48pm -07:00
  • Ben Werdmuller https://twitter.com/benwerd   •   May 30
    Oh I’m sorted for the non “e” whisky - got a Lagavulin 16 I’m slowly working through. Thank you for the recommendation! Will try Fighting Cock!
    Aaron Parecki
    Caveat: I mainly use fighting cock in mixed drinks. It's not that great on its own.
    Portland, Oregon • 66°F
    1 like
    Fri, May 29, 2020 10:49pm -07:00
  • Ben Werdmuller https://twitter.com/benwerd   •   May 30
    Recommend me a bourbon? (Not Bulleit.)

    I've been drinking Kings County Distillery straight bourbon, which has been lovely to drink over ice or in cocktails. I'd gladly buy it again. But what else do you think is fantastic?
    Aaron Parecki
    Cheap but good: Fighting Cock
    Good but not too expensive: Macallan 12 Year
    Portland, Oregon • 66°F
    1 like 1 reply
    Fri, May 29, 2020 10:27pm -07:00
older

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv