Aaron Parecki

@aaronpk hey ! I'm reading your OAuth book right now and it's great! Isn't there a word missing here? This is the "Signing with Google" chapter.

Oh no, it shifts? Will I love truffles someday?

I thought it might also be a genetic thing, but I love cilantro. So maybe there's an inverse correlation?

I'm not here to food shame at all, but I can't be the only one who thinks truffles taste awful, right? Not that I'm into mushrooms, but even the oil smells and tastes overwhelmingly stale to me.

what was he even thinking hitting the gas like that?? people like this make me so mad, I hope that is a very expensive repair bill

So he came back around. Funny thing is that when he was far off he put on his left turn signal like he was just gonna head to Burnside. But then he saw me still there and jammed on the gas and went for the intimidation move and blew out his front right tire! Bwah, ha, ha, ha!

… the man pulls an electric chainsaw out of the back of the truck, plugs in into the truck and starts cutting down a tree “… that just ain’t true”

Hosting any live streams this weekend? Drop your link in the comments 🤗

With the amount of traveling I have been doing in the last year, I think the single best thing I did was buy an @AlaskaAir lounge pass. Coffee, food, great wifi and a quiet place to relax between flights. I’ve even live-streamed from one in Seattle!

Yesterday I was attending a 350ppl Zoom meeting while driving.
The car in front of me made me miss a green light🚦, & I let out a scream of pure, unadulterated rage😡 .
The presenter suddenly stopped and everyone in chat wondered what made Vittorio so upset. I was unmuted 😅 oops

Arguably, tho, PKCE and putting a client secret into a SPA are orthogonal. It's conflating two things that work differently. Poor devs can't understand those differences.

The error should be "we see you sent a client secret and an Origin header. is your client a SPA?"

Helps prevent devs from putting their client secrets in a web page to perform the client creds flow, yep. When AAD enabled this, we definitely got a couple support calls on that. This was how we ratcheted forward PKCE use from suggested to required as well.

Ah, good question -- I didn't notice that. I bet their client config is misconfigured then.

People are asking, when using standards compliant OIDC client libraries:

https://github.com/authts/oidc-client-ts/issues/395#issue-1149525542

It's confusing as hell, and I'm confused by the implementation -- on the token endpoint if Origin is present, you require that the authz used PKCE? That's about the only valid approach to that I can imagine.

Hey @aaronpk, can you explain this help article? It makes no sense to me. TIA

https://support.okta.com/help/s/article/Browser-requests-to-the-token-endpoint-must-use-Proof-Key-for-Code-Exchange?language=en_US

Do I know anyone involved with @LoginDotGov? I found a few (minor) issues with the OAuth/OpenID docs there https://developers.login.gov/oidc/

@aaronpk you would use this mechanism: 18f.gsa.gov/vulnerabi...

"We accept and discuss vulnerability reports on HackerOne, via email at tts-vulnerability-reports@gsa.gov, or through the form"

HackerOne is the preferred reporting.

18F manages the app. Main source repo is here: https://github.com/18F/identity-idp

Not sure if the docs are generated from there, though.