Aaron Parecki

lack of form validation

I should have replied to that one. It’s barely a logic bug using JWT. I’m writing up more details in a blog post, will post a link shortly.

This has almost nothing to do with JWTs, or even OpenID Connect for that matter.

The original post didn’t make this clear, so I’m writing a new post to hopefully better explain the problem. You’ll see that it has nothing to do with OIDC at all. Link coming shortly, I hope.

Please go read it again and understand the problem

Go read the writeup again. The original post wasn't the clearest explanation of the problem but I also posted some more details in this thread that make it clearer.

And? certification wouldn't have caught this bug since it wasn't a problem with the OIDC part of the exchange.

Yes! And that is *exactly* why I always advocate for pushing the complexity to the authorization server and keeping the client side simple. Fewer options for clients means fewer ways to mess it up, and there will always be more client developers than AS developers.

Yeah it's mainly a technical limitation of the platform we used for publishing it. If you send me a receipt, I'll send you the other format!

Nah this is more a demonstration of why sticking to standards is a good idea, and why building an authorization server isn't a project that should be taken lightly.

Now that I'm writing this out, I realize that the client also sends back the "name" here, intentionally, since the name is user-editable. So I can see how this happened. It's just extremely poor coding practice to essentially also allow the email to be editable here.

It's the handler that responds to the "Continue" form post on this screen. Instead of a Boolean, the client sent back the actual email address and the server accepted arbitrary values.

Yea, it's just not part of the OAuth API. It's more like bad logic on the internal implementation of the AS.

If I'm reading it right it's not the token endpoint, it's their internal API for accepting the request that let the user choose which email to share with the app. So it's a form validation problem.

Don't worry, there's still time for the earthquake

Not even 6 months into the 2020s and we've already written off the entire decade 😂😭 is that the point we're at right now

oh awesome!!

I've decided a "day" is my day, local time. That means if I travel to another timezone, the day might change in weird ways. You can see some of the side effects of this on my day archive pages when I've traveled across the date line. Some days are super long, others have almost no posts.

Caveat: I mainly use fighting cock in mixed drinks. It's not that great on its own.

Cheap but good: Fighting Cock
Good but not too expensive: Macallan 12 Year