Aaron Parecki

Joschi Kuphal 吉 https://jkphl.is

📢 Ever needed to implement #OAuth and had a hard time to wrap your head around? Want a sound understanding of all things @oauth_2? Happy to host a workshop about just that, with @aaronpk («OAuth 2.0 Simplified»), during @nueww, on October 18th. Join us! https://colloq.io/events/tollwerkstatt-workshops/2018/nurnberg/2

Portland, Oregon • 65°F

Fri, Apr 27, 2018 3:02pm +03:00 (liked on Fri, Apr 27, 2018 6:20am -07:00) #OAuth
will leinweber http://bitfission.com

I made a VGP (very good program) that makes it so it looks like I’m typing on slack whenever anyone else is typing, and stops when they stop.

Everyone loves it so far and doesn’t find it annoying at all!

https://github.com/will/slacktyping

Portland, Oregon • 73°F

Wed, Apr 25, 2018 3:18pm -07:00 (liked on Thu, Apr 26, 2018 9:56am -07:00)
sknebel https://github.com/sknebel • Apr 26
A potential manual way: have a !snooze command that blacklists a string for e.g. 24 hours.

!snooze is not a bad idea, that gives people the ability to make the decision about what to filter.

I do have some code that Loqi uses to kick people out of the IRC room when they spam it that might also work here, but I'd be worried about too much false positive filtering. It looks at a normalized version of the text (lowercase, no whitespace or punctuation, minus URLs) and could reject tweets that match an existing one found in the last 24 hours. That would have stopped a bunch of these from coming through.

Portland, Oregon • 71°F

Thu, Apr 26, 2018 6:57am -07:00
Laura Rodríguez https://github.com/laura-rodriguez

#lifeatokta #branding @okta <3 @oktadev #womenintech #toronto

Portland, Oregon • 71°F

Wed, Apr 25, 2018 11:10pm -03:00 (liked on Thu, Apr 26, 2018 6:39am -07:00) #lifeatokta #branding #womenintech #toronto
Zegnat https://github.com/Zegnat • Apr 25
This totally slipped me by, so here we go. I do like the idea of logging things, and syslog() is probably the best solution unless we want to pull in something like PSR-3. More thoughts:

I would not turn any logging on by default. I do think logging IPs with authentication requests makes sense, and I would simply never want to log any IPs by default. Especially when people running this on shared hosts might be feeding it into logs they themselves cannot clear.

LOG_FAILED_PASSWORDS sounds like a nice-to-have that needs massive disclaimers around it. We can’t work on the assumption that everyone is using a password manager. This means people are typing their passwords, and typos happen. This option sounds good, but if you over time fill logs with deviations of your real password, you better be making sure you are purging those logs real good. (Of course again with the problem that syslog() may be out of reach to the user who unwittingly turned this on.)

I can almost see us strategically dropping these into the source code, but commented. Anyone who understands syslog() and wants to use it to trip up other alarm bells on a server, will probably be OK uncommenting a couple of functions. Even if they aren’t well versed with PHP. This will at least keep it out of the hands of users who cannot see the possible side-effects.

Like the idea, just not sure how to execute it without giving users some flags in the config with huge warning disclaimers. And I don’t like warning disclaimers in what is supposed to be a simple single-purpose thing.
I like the idea of making logging opt-in by uncommenting the code. I'm struggling to think of a case where logging failed passwords is ever a good idea. It seems others would agree with this assessment as well. https://security.stackexchange.com/questions/16824/is-it-common-practice-to-log-rejected-passwords

Portland, Oregon • 83°F

Wed, Apr 25, 2018 3:23pm -07:00
at TriMet Hollywood/NE 42nd Ave Transit Center

Portland, Oregon • Wed, April 25, 2018 11:17am

45.532787 -122.620756

Some crazy new colors going on here!

Portland, OR, United States • 70°F

6 Coins

Wed, Apr 25, 2018 11:17am -07:00
Just downloaded my @instagram dump and I'm pretty disappointed. 😔

• My comments include only the comment text, a timestamp, and the photo author. No way to know what I'm commenting on
• Same for photos I've liked
• There's no indication of likes or comments on my own photos

Portland, Oregon • 67°F

8 likes 1 repost 1 reply

Wed, Apr 25, 2018 10:04am -07:00 #instagram #ownyourdata
singpolyma https://github.com/singpolyma • Apr 25

#5 RAM DOS

In practice this is enforced by the PHP process itself. PHP has a setting for a maximum memory limit, at which point the process will be killed. I'm not really interested in trying to solve this for real using some sort of stream solution, since the vast majority of content this is used for is relatively small pages.

Portland, Oregon • 65°F

Wed, Apr 25, 2018 9:33am -07:00
Hello from @donutjs, packed house tonight! We're livestreaming tonight thanks to support from @oktadev! https://youtu.be/4czBvCbtiWw

Portland, Oregon • 76°F

8 likes 2 reposts

Tue, Apr 24, 2018 6:41pm -07:00
at Alchemy Code Lab

Portland, Oregon • Tue, April 24, 2018 5:32pm

45.523394 -122.680919

#DonutJS setup

Portland, OR, United States • 79°F

4 Coins

Tue, Apr 24, 2018 5:32pm -07:00 #donutjs
Donut.js 🍩 6pm Tue Apr 24 at Alchemy Code Lab http://donutjs.club

We are very happy to let you know that @oktadev is sponsoring our video recording and production!

Okta provides authentication, authorization, and user management to your web or mobile app. Learn more at http://developer.okta.com!

🔑🍩‿🍩🔒

Portland, Oregon • 78°F

Tue, Apr 24, 2018 2:39pm -07:00 (liked on Tue, Apr 24, 2018 3:05pm -07:00)
Donut.js 🍩 6pm Tue Apr 24 at Alchemy Code Lab http://donutjs.club

Hello everybody, Donut.js is tonight! Tickets are still available! Join us at 6pm at @AlchemyCodeLab for superb talks from @ryrykubes and @sandyaaaas and @elnoelle. Come support http://portlandmeetportland.org! Come and eat donuts and chat and party! https://donutjs.club

Portland, Oregon • 78°F

Tue, Apr 24, 2018 2:43pm -07:00 (liked on Tue, Apr 24, 2018 3:05pm -07:00)
Adam Lewis https://twitter.com/lewiada • Apr 24
and what about for storing the access token in the browser?

Sadly there isn't a satisfying answer to that. Anything that your JS can use to store any token is vulnerable to XSS. The only secure option is cookies, but that won't work with OAuth. https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage

Portland, Oregon • 75°F

1 like 3 replies

Tue, Apr 24, 2018 12:07pm -07:00
@buffer Does this Facebook API announcement mean publishing to Facebook from Buffer will stop working? https://developers.facebook.com/blog/post/2018/04/24/new-facebook-platform-product-changes-policy-updates/

Portland, Oregon • 73°F

1 like 2 replies

Tue, Apr 24, 2018 11:41am -07:00
Aaron Parecki https://aaronparecki.com/ • Apr 24
BCP for public UA clients:

• use the authorization code flow
• omit client secret
• strict redirect URI validation

Some citations and more info: https://aaronparecki.com/oauth-2-simplified/#single-page-apps

I agree it would be nice to see this written up properly though. In the mean time, I'm adding a section to my book about this.

Portland, Oregon • 72°F

2 likes 1 repost

Tue, Apr 24, 2018 11:05am -07:00
Adam Lewis https://twitter.com/lewiada • Apr 24
We do implement native apps per RFC8252 including code flow, custom tabs and PKCE, and we use OIDC for authentication to web apps. But doing ua-based-apps / SPAs right is ambiguous at best and I keep hoping for the @oauth_2 WG to begin work on an ua-based client BCP.

BCP for public UA clients:

• use the authorization code flow
• omit client secret
• strict redirect URI validation

Some citations and more info: https://aaronparecki.com/oauth-2-simplified/#single-page-apps

Portland, Oregon • 71°F

3 likes 1 repost 6 replies

Tue, Apr 24, 2018 10:57am -07:00 #oauth2
Adam Lewis https://twitter.com/lewiada

We do implement native apps per RFC8252 including code flow, custom tabs and PKCE, and we use OIDC for authentication to web apps. But doing ua-based-apps / SPAs right is ambiguous at best and I keep hoping for the @oauth_2 WG to begin work on an ua-based client BCP.

Portland, Oregon • 71°F

Tue, Apr 24, 2018 1:48pm -04:00 (liked on Tue, Apr 24, 2018 10:52am -07:00)
Donut.js 🍩 6pm Tue Apr 24 at Alchemy Code Lab http://donutjs.club

To address some audiovisual technical difficulties, we’ve been working with @aaronpk and @AlchemyCodeLab to overhaul our presentation and recording setup. Just got back from a second round of testing everything out, and it’s looking and sounding great!! 🎙🍩‿🍩📹

Portland, Oregon • 72°F

Mon, Apr 23, 2018 2:57pm -07:00 (liked on Mon, Apr 23, 2018 3:00pm -07:00)
at Broadway Books

Portland, Oregon • Mon, April 23, 2018 2:14pm

45.53489 -122.648047

Got the second to last copy of John Oliver's Marlon Bundo book!

Portland, OR, United States • 72°F

30 Coins

Mon, Apr 23, 2018 2:14pm -07:00
OktaDev http://developer.okta.com

Friends don't let friends write auth.

"The greatest teacher failure is." — Yoda

Portland, Oregon • 58°F

Mon, Apr 23, 2018 9:55am -07:00 (liked on Mon, Apr 23, 2018 10:07am -07:00)

older

Aaron Parecki

#5 RAM DOS