Aaron Parecki

Thorbjørn Ellefsen https://twitter.com/sciencedefence • Nov 24
@Luludotcom I guess you will not provide me with the download link to my purchase of @aaronpk book OAuth 2.0 simplified. Hope you spend my money well.

What's wrong? Did something go wrong with the checkout process? I can try to take a look.

Portland, Oregon • 48°F

5 replies

Tue, Nov 24, 2020 1:00pm -08:00
Peter Holz https://twitter.com/nu4ur • Nov 24
Hi @aaronpk, what credentials should the RS use for the token introspection with the AS? These Okta blog posts on the CC flow all seem to use the client credentials. But isn't this bad?

https://developer.okta.com/blog/2020/11/18/build-a-graphql-nodejs-api
https://developer.okta.com/blog/2020/07/17/secure-node-api-with-koa
https://developer.okta.com/blog/2018/08/21/build-secure-rest-api-with-node

Usually you'll create a new set of client credentials that represents the resource server, since the OAuth client shouldn't be introspecting tokens. There isn't really any other form of authentication for the API so it's kind of an overloading of the term "client credentials"

Portland, Oregon • 48°F

1 like

Tue, Nov 24, 2020 12:38pm -08:00
Keith Bennett https://twitter.com/keith51032020 • Nov 24
That's so early..... Do I get a sneak peak before it's I read your mind?

I don't think I can do that with a scheduled video unfortunately!

Portland, Oregon • 45°F

Mon, Nov 23, 2020 7:03pm -08:00
Keith Bennett https://twitter.com/keith51032020 • Nov 24
@aaronpk Any new thoughts now on the YoloBox video switcher? SInce ATEM ISO? Have a friend asking.

Funny you should ask... I literally just finished editing a video about it, it'll be live at 6:15am pacific tomorrow!

Portland, Oregon • 46°F

3 replies

Mon, Nov 23, 2020 6:54pm -08:00
Grégoire Gaonach 🌻🇪🇺 https://twitter.com/GregoireGaonach • Nov 23
@aaronpk Hi Aaron! Thank you very much for your work on your youtube channel. I have a question for you :

What are your thoughts on PTZ cameras for live stream?

Thanks! I haven't actually used any of my own because they're just so expensive. I've used some when doing gigs at a venue that has them installed. The picture off them leaves something to be desired too, but maybe they've gotten better now.

Portland, Oregon • 45°F

1 like 1 reply

Mon, Nov 23, 2020 8:23am -08:00
˗ˏˋ Doug Belshaw ˎˊ˗ 🇪🇺☠️✊: https://fosstodon.org/@dajbelshaw • Nov 22
@aaronpk That's amazing, but firmly in the realms of WHY?! for most people

fair, but so is Mastodon

Portland, Oregon • 43°F

1 reply

Sun, Nov 22, 2020 11:39am -08:00
˗ˏˋ Doug Belshaw ˎˊ˗ 🇪🇺☠️✊: https://fosstodon.org/@dajbelshaw • Nov 22
@petermolnar Commenting on someone else's website by logging into your own site is barely intuitive for *me* never mind anyone else.
As I've said before, it feels like a bunch of guys in their 40s and 50s trying to rewind time.
Actually, this conversation has solidified my position, so thanks! 😅

Check out my "social readers" demos and talks. I'm commenting on this post using an interface that looks a lot like Twitter/Mastodon, except it results in creating a post on my website. It's actually very similar to how Mastodon works. https://indieweb.org/social_reader

Portland, Oregon • 43°F

1 like 1 reply

Sun, Nov 22, 2020 11:26am -08:00
ariel https://bsd.network/@ariel • Nov 21
@aaronpk
If you're in the USA, sign up for the USPS's Informed Delivery too. They show you pictures of the mail you're about to get.

Yeah I have that too, it's great!

Portland, Oregon • 38°F

Sat, Nov 21, 2020 6:31am -08:00
Simon Willison https://twitter.com/simonw • Nov 19
This seems to contradict the spec - https://github.com/simonw/datasette-indieauth/issues/21#issuecomment-730485391

That's for the final profile URL. The user can enter something different at the start, and if that contains a username component then the trick works.

Portland, Oregon • 46°F

Thu, Nov 19, 2020 8:25am -08:00
Blaine Cook https://twitter.com/blaine • Nov 19
I don't agree that it's completely glossed over - there is a registration protocol, it's just not widely implemented. The intent could be better stated, for sure, but I think IA's emphasis is too far the other way. My ideal is something in-between IndieAuth and OIDC, I think! 😊

take a look at my activitypub conference talk, starting at 11:50, I address the UX aspect of it here: https://aaronparecki.com/2020/09/22/25/activitypub-oauth-2-1#t=710

also happy to set up a time to chat about this instead! I think we have a lot of similar goals!

Portland, Oregon • 47°F

2 likes

Wed, Nov 18, 2020 10:26pm -08:00
Blaine Cook https://twitter.com/blaine • Nov 19
My goal is to enable secure, simple federated identity. Authentication is a core bit of functionality in that regard. Obviously supporting non-corporate identities is critical, but forcing everyone to be 'indie' is a mistake, I think.

nobody said "force". my goal is to *enable* indie identities, something that is pretty much completely glossed over by the current OIDC ecosystem.

Portland, Oregon • 47°F

1 like 1 reply

Wed, Nov 18, 2020 10:17pm -08:00
Mugwump https://twitter.com/ozaed • Nov 19
I use DNSSEC since 6+ years, while I have seen many auth protocols come and go. And 'IndieAuth' I first heard today.

ah yes, the "this is the first I've heard about it" argument sure is a solid one

Portland, Oregon • 47°F

Wed, Nov 18, 2020 10:15pm -08:00
bradfitz https://twitter.com/bradfitz • Nov 18
I literally just sprayed coffee all over my monitor at your comment. Took the wrong moment to have a sip.

I appreciate the commitment to prove this with a photo and am also very curious about what's in your bookmark toolbar and open tabs

Portland, Oregon • 46°F

1 like

Wed, Nov 18, 2020 9:33pm -08:00
patrick. https://twitter.com/imPatrickT • Nov 18
yup and loading from Lock Screen is a deal breaker for me.

*deal maker. agreed.

Portland, Oregon • 46°F

1 like

Wed, Nov 18, 2020 8:34pm -08:00
Deity Microphones 🎙️ https://twitter.com/deitymicrophone • Nov 18
Seems like YouTube is changing their service terms AGAIN.... It's that second bullet point that should be interesting...

What are your thoughts on the new changes to the YouTube platform?

I always assumed that was already the case. Is it not?

Portland, Oregon • 46°F

2 likes

Wed, Nov 18, 2020 8:33pm -08:00
Blaine Cook https://twitter.com/blaine • Nov 19
😢 @aaronpk knows my stance on this well - domain-based auth is exclusionary and confusing to users. IndieAuth should just use email addresses, even if it's not doesn't use webfinger and just does s/@([^.*]\..*$/\1/ with the address.

Email addresses *are* domain-based auth. I think you’re conflating two different parts of the system. In IndieAuth, the canonical user identifier doesn’t have to be the thing the user enters in a login prompt. This is also true for almost every other authentication system.

Portland, Oregon • 45°F

1 reply

Wed, Nov 18, 2020 8:28pm -08:00
Simon Willison https://twitter.com/simonw • Nov 19
Thanks, filed an issue https://github.com/simonw/datasette-indieauth/issues/21

To be clear, I’m not sure this is a *good* idea, and it also requires a bit of code running at the web server of the root domain, but it does work.

Portland, Oregon • 45°F

3 replies

Wed, Nov 18, 2020 8:25pm -08:00
Aaron Parecki https://aaronparecki.com/ • Nov 18
I’ll admit it’s a bit of a “hack”. The trick is “aaron@parecki.com” is a URL because if you assume the http scheme then you get http://aaron@parecki.com which is a username but no password with HTTP basic auth. The server can switch what it returns based on that username.

As a client developer you have to: 1) follow the spec by assuming “http” if no scheme is entered, and 2) allow the user-entered URL to contain a username component.

Portland, Oregon • 45°F

5 replies

Wed, Nov 18, 2020 8:21pm -08:00
Simon Willison https://twitter.com/simonw • Nov 19
I thought that was valid with RelMeAuth but not IndieAuth - how can I get that working as an IndieAuth client?

I’ll admit it’s a bit of a “hack”. The trick is “aaron@parecki.com” is a URL because if you assume the http scheme then you get http://aaron@parecki.com which is a username but no password with HTTP basic auth. The server can switch what it returns based on that username.

Portland, Oregon • 45°F

1 reply

Wed, Nov 18, 2020 8:20pm -08:00
Blaine Cook https://twitter.com/blaine • Nov 19
In the meantime, IndieAuth is, imho, a step backwards. OAuth/OIDC sign-in with login_hint works *great*; the lack of auto-/no-registration / a public key version is a real bummer, though.

This one I’m really confused on, and we should probably chat about it to clear things up. IMO OIDC is more of a barrier here because the default is that clients need to register. With IndieAuth there is no expectation of client registration at all.

Portland, Oregon • 45°F

1 reply

Wed, Nov 18, 2020 8:18pm -08:00

older