65°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • Serge Jespers https://twitter.com/sjespers   •   Jun 2
    @aaronpk Hi Aaron! Thanks for the stream today. I believe you mentioned a Raspberry Pi Hyperdeck clone. Do you have a link to that? Would love to check it out.
    Aaron Parecki
    Thanks! It's still in the works, but I'll definitely feature it on my stream when it's announced!
    Portland, Oregon • 68°F
    1 reply
    Tue, Jun 2, 2020 12:00pm -07:00
  • Nat Sakimura https://twitter.com/_nat_en   •   Jun 2
    And so did Verified / Verifiable Credentials specs. ** sigh **
    Aaron Parecki
    It's almost like they learned nothing from the mess of XML-based protocols
    Portland, Oregon • 60°F
    Tue, Jun 2, 2020 9:44am -07:00
  • Jonathan LaCour https://cleverdevil.io/profile/cleverdevil   •   Jun 2
    My response to a Facebook recruiter just now on LinkedIn: https://cleverdevil.io/s/bZXT004j0p4BMivNTTdQOQKVdCZqXkYQQf0XYzmNhWFOFmD3BsYRub443wNYXSIXovCwtlvN6Pd...
    Aaron Parecki
    🔥🔥🔥
    Portland, Oregon • 71°F
    Mon, Jun 1, 2020 5:09pm -07:00
  • Gary https://twitter.com/every_daydad   •   Jun 1
    Things I would miss dearly from MacOS if I did this.

    FCPX
    Screen shots
    Screen recording
    The Email App
    The Calendar App
    iMessage
    Aaron Parecki
    as someone who decided to switch to windows just for video editing, I agree with this list.

    Except for: screen shots, there's a print screen button!

    iMessage and Airdrop mean so many more hoops to get stuff from my phone to my laptop
    Portland, Oregon • 70°F
    1 like
    Mon, Jun 1, 2020 3:19pm -07:00
  • Not Fake Adam Kalsey https://twitter.com/akalsey   •   Jun 1
    One of my old security teachers had a saying: treat everything you get from the client as toxic. Assume it’s false, malicious, and unsanitary until you can prove that it is not.
    Aaron Parecki
    seriously! It's like one of the first things you learn when developing web apps. It's an embarrassing oversight frankly.
    Portland, Oregon • 68°F
    Mon, Jun 1, 2020 2:30pm -07:00
  • Sebastian https://twitter.com/sebmck   •   Jun 1
    If you are a Facebook employee organizing collective action, do not use corporate laptops, phones, or apps! This includes Work Chat, Messenger, and WhatsApp. Communication between employees is not privileged. You signed this away in your employment contract.
    Aaron Parecki
    holy crap, that even applies to using personal devices on company property.

    which I guess isn't that significant right now but still.
    Portland, Oregon • 67°F
    4 likes
    Mon, Jun 1, 2020 1:32pm -07:00
  • Tristan 🌦 https://twitter.com/twaddington   •   Jun 1
    I've been getting the weirdest Twitter ads today.
    Aaron Parecki
    Same, and some of them are from really suspicious looking Twitter accounts. I haven't clicked, but I'm wondering if the sites they promote are some sort of tracking network. Kinda want to dig into this now.
    Portland, Oregon • 67°F
    1 like
    Mon, Jun 1, 2020 1:26pm -07:00
  • nov matake https://twitter.com/nov   •   Jun 1
    "The email address however, should only be toggled between the user’s real address or the generated proxy address."

    No, a user can have multiple "real addresses" in Apple world.
    Aaron Parecki
    That's true, I noticed I have multiple me.com addresses on my account when I was making the screenshots and forgot to update this text to match. Still, the point is the same.
    Portland, Oregon • 56°F
    1 like
    Mon, Jun 1, 2020 9:38am -07:00
  • Jerry Gamblin https://twitter.com/JGamblin   •   May 31
    Ok... what would you call it then?
    Aaron Parecki
    Posted a full writeup with a lot more details: https://aaronparecki.com/2020/05/31/30/the-real-cause-of-the-sign-in-with-apple-zero-day
    Portland, Oregon • 61°F
    1 like 1 repost
    Sun, May 31, 2020 1:50pm -07:00
  • Vinod Anandan https://twitter.com/_VinodAnandan   •   May 31
    Thanks, that will be greatly appreciated. If you could also include the sample id_token in the post, it would help to clarify some doubts.
    Aaron Parecki
    Alright, it's up! https://aaronparecki.com/2020/05/31/30/the-real-cause-of-the-sign-in-with-apple-zero-day
    Portland, Oregon • 61°F
    2 likes 1 repost
    Sun, May 31, 2020 1:50pm -07:00
  • Jerry Gamblin https://twitter.com/JGamblin   •   May 31
    Ok... what would you call it then?
    Aaron Parecki
    lack of form validation
    Portland, Oregon • 58°F
    1 like
    Sun, May 31, 2020 11:12am -07:00
  • Jerry Gamblin https://twitter.com/JGamblin   •   May 31
    Yep, I realized that after I posted and made a clarifying post in the thread, which you should have saw?
    Aaron Parecki
    I should have replied to that one. It’s barely a logic bug using JWT. I’m writing up more details in a blog post, will post a link shortly.
    Portland, Oregon • 58°F
    2 replies
    Sun, May 31, 2020 11:11am -07:00
  • Jerry Gamblin https://twitter.com/JGamblin   •   May 30
    Interesting JWT vulnerability. https://bhavukjain.com/blog/2020/05/30/zeroday-signin-with-apple/
    Aaron Parecki
    This has almost nothing to do with JWTs, or even OpenID Connect for that matter.
    Portland, Oregon • 58°F
    2 likes 4 replies
    Sun, May 31, 2020 11:06am -07:00
  • Vinod Anandan https://twitter.com/_VinodAnandan   •   May 31
    Yes, thank you. I agree that RP should be simple and IdP should be handling the complexity. AFAIU, the OIDC spec is clear about the email_verified attribute.
    Aaron Parecki
    The original post didn’t make this clear, so I’m writing a new post to hopefully better explain the problem. You’ll see that it has nothing to do with OIDC at all. Link coming shortly, I hope.
    Portland, Oregon • 55°F
    2 replies
    Sun, May 31, 2020 9:36am -07:00
  • Vinod Anandan https://twitter.com/_VinodAnandan   •   May 31
    My point is that OIDC has mechanisms to prevent this issue..
    Aaron Parecki
    Please go read it again and understand the problem
    Portland, Oregon • 54°F
    4 replies
    Sun, May 31, 2020 7:32am -07:00
  • Vinod Anandan https://twitter.com/_VinodAnandan   •   May 31
    "email_verified" : "True if the End-User's e-mail address has been verified; otherwise false....."

    https://openid.net/specs/openid-connect-core-1_0.html
    Aaron Parecki
    Go read the writeup again. The original post wasn't the clearest explanation of the problem but I also posted some more details in this thread that make it clearer.
    Portland, Oregon • 54°F
    6 replies
    Sun, May 31, 2020 7:28am -07:00
  • Vinod Anandan https://twitter.com/_VinodAnandan   •   May 31
    "The OpenID Foundation enables deployments of OpenID Connect and the Financial-grade API (FAPI) Read/Write Profile to be certified to specific conformance profiles to promote interoperability among implementations.... "

    https://openid.net/certification/
    Aaron Parecki
    And? certification wouldn't have caught this bug since it wasn't a problem with the OIDC part of the exchange.
    Portland, Oregon • 54°F
    Sun, May 31, 2020 7:22am -07:00
  • Barbara Schachner https://twitter.com/barschachner   •   May 31
    Fully agree to that 😀

    Just looking also at examples like https://insomniasec.com/blog/auth0-jwt-validation-bypass or https://threatpost.com/microsoft-oauth-flaw-azure-takeover/150737/.
    o/c they are different + very individual, but if already the big players have such issues, how much more can go wrong on RS side where devs are usually not Auth experts.
    Aaron Parecki
    Yes! And that is *exactly* why I always advocate for pushing the complexity to the authorization server and keeping the client side simple. Fewer options for clients means fewer ways to mess it up, and there will always be more client developers than AS developers.
    Portland, Oregon • 54°F
    2 likes
    Sun, May 31, 2020 6:43am -07:00
  • Arif Yayalar 💛❤️🦁 https://twitter.com/ayayalar   •   May 30
    @aaronpk little disappointed that you sell pdf/ePub editions of OAuth 2.0 Simplified separately.
    Aaron Parecki
    Yeah it's mainly a technical limitation of the platform we used for publishing it. If you send me a receipt, I'll send you the other format!
    Portland, Oregon • 54°F
    Sun, May 31, 2020 6:05am -07:00
  • Barbara Schachner https://twitter.com/barschachner   •   May 31
    I feel logical bugs around OAuth/OIDC/JWT handling are on the rise - and they are like the login form SQL injections of the past („be whoever you want to be“).
    Love those standards and their capabilities - but are they getting too complicated?
    Aaron Parecki
    Nah this is more a demonstration of why sticking to standards is a good idea, and why building an authorization server isn't a project that should be taken lightly.
    Portland, Oregon • 54°F
    1 like 12 replies
    Sun, May 31, 2020 5:59am -07:00
older

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv