Aaron Parecki

Even André Fiskvik https://twitter.com/grEvenX • May 3
In the process of changing how we authorize the users in our web app and I’m wondering what route to take. Do you know about any simple proxy-like services for Oauth 2 Auth code flow (not OIDC) that can keep sessions and handle Auth for any SPA ?

Plenty of server-side frameworks can do this, I'm not sure about something as a service though. Also not sure if you'd really want to go down the path of offloading that kind of thing to a different site either.

Portland, Oregon

1 reply

Sat, May 4, 2019 9:46am -07:00
at Salmon Street Springs Fountain

Portland, Oregon • Fri, May 3, 2019 4:01pm

45.515367 -122.673305

Portland, OR, United States • 49°F

1 like 15 Coins

Fri, May 3, 2019 4:01pm -07:00
NSN https://twitter.com/nsnusername

Implicit flow is history.

Portland, Oregon • 49°F

Thu, May 2, 2019 3:29pm +00:00 (liked on Fri, May 3, 2019 8:48am -07:00)
Lillian Karabaic https://twitter.com/anomalily

Just found out that @juliensolomita used my suggestion in his most recent video to do a mac + cheese tasteoff and I am STOKED. Because I love nothing more than some vegan mac. https://www.youtube.com/watch?v=EBv5A7NC2eI

Portland, Oregon • 49°F

Fri, May 3, 2019 12:02am +00:00 (liked on Thu, May 2, 2019 8:22pm -07:00)
at Gate 27

San Jose, California • Thu, May 2, 2019 5:20pm

37.364881 -121.92392

San Jose, CA, United States

7 Coins

Thu, May 2, 2019 5:20pm -07:00
Nico Kaiser https://twitter.com/nicokaiser • May 2
... assuming I can control what JS code runs on my site (which is a different problem), this should be safe, right?

That's a big assumption (you don't know what browser extensions the user is using) but yes that's one way to be more confident. I wouldn't use absolute terms like "safe" though. "Less risky" maybe.

San Jose, California • 49°F

Thu, May 2, 2019 4:31pm -07:00
Drummond Reed https://twitter.com/drummondreed

Biggest laugh at #IIW so far: when @justin__richer in his session on “Is #selfsovereignidentity really possible” turned to Dave Crocker and said that we can all blame him for the Internet not having #security built in from the start.

San Jose, California • 49°F

Thu, May 2, 2019 6:03pm +00:00 (liked on Thu, May 2, 2019 4:18pm -07:00) #IIW #selfsovereignidentity #security
Drummond Reed https://twitter.com/drummondreed

At #IIW session on “Is #selfsovereignidentity really possible”, @xmlgrrl Eve Maler offers perhaps the most concise definition of of #privacy I’ve ever heard: “Privacy is context-controlled choice and respect.” Beautiful. And I believe actually possible with #SSI.

San Jose, California • 49°F

Thu, May 2, 2019 6:07pm +00:00 (liked on Thu, May 2, 2019 4:18pm -07:00) #IIW #selfsovereignidentity #privacy #SSI
Eve Maler https://twitter.com/xmlgrrl

In @justin__richer’s #IIW “DIDn’t” session: Once more with feeling: Privacy is not secrecy; privacy is not encryption; privacy is context, control, choice, and respect.

San Jose, California • 49°F

Thu, May 2, 2019 6:10pm +00:00 (liked on Thu, May 2, 2019 4:18pm -07:00) #IIW
at The Club at SJC

San Jose, California • Thu, May 2, 2019 3:57pm

37.368421 -121.928393

San Jose, CA, United States

8 Coins

Thu, May 2, 2019 3:57pm -07:00
at TSA Pre-Check Terminal B

San Jose, California • Thu, May 2, 2019 3:48pm

37.365179 -121.924013

San Jose, CA, United States • 49°F

4 Coins

Thu, May 2, 2019 3:48pm -07:00
at Norman Y. Mineta San José International Airport (SJC)

San Jose, California • Thu, May 2, 2019 3:43pm

37.368438 -121.929042

San Jose, CA, United States

10 Coins

Thu, May 2, 2019 3:43pm -07:00
Nico Kaiser https://twitter.com/nicokaiser • May 2
What is your opinion on refresh tokens in client-side apps? The PKCE Auth Code flow allows issuing refresh tokens, so SPAs can refresh their tokens without relying on web_message (possibly cross-domain) iframes. ...

Totally depends on your risk tolerance. Browsers are always a more risky environment, so that's something to keep in mind with refresh tokens.

If you are going to issue refresh tokens to JS, definitely rotate them after every use.

Sunnyvale, California • 49°F

1 like

Thu, May 2, 2019 3:32pm -07:00
Eve Maler https://twitter.com/xmlgrrl

#IIW today is obv going to start with a bang. @justin__richer

Mountain View, California • 49°F

Thu, May 2, 2019 4:06pm +00:00 (liked on Thu, May 2, 2019 10:14am -07:00) #IIW
Chris https://twitter.com/gonji96

PKCE is on my list to implement when no one is watching

Mountain View, California • 49°F

Thu, May 2, 2019 3:54pm +00:00 (liked on Thu, May 2, 2019 9:04am -07:00)
Browser APIs have gotten so much better lately! Way easier to do @oauth_2 PKCE in a browser now:

✅ good random number generators
✅ secure hashing functions

Just missing a good base64 encoding function. (Check out the ugly hack in the post.)

https://developer.okta.com/blog/2019/05/01/is-the-oauth-implicit-flow-dead#begin-the-pkce-request

Mountain View, California, USA • 49°F

5 likes 1 repost 5 replies

Thu, May 2, 2019 8:25am -07:00 #oauth #javascript #pkce
at Computer History Museum

Mountain View, California • Thu, May 2, 2019 7:54am

37.414456 -122.0775

Mountain View, CA, United States

1 Coin

Thu, May 2, 2019 7:54am -07:00
at Hotel Vue

Mountain View, California • Thu, May 2, 2019 7:29am

37.381403 -122.074277

Mountain View, CA, United States • 49°F

10 Coins

Thu, May 2, 2019 7:29am -07:00
current status: wrapped up the web standards meeting for the day, and now watching the recording of yesterday's Planning and Sustainability Commission meeting in Portland, a different kind of standards meeting.

what? I don't have too many projects *you* have too many projects

Mountain View, California, USA • 49°F

12 likes 1 repost 1 reply

Wed, May 1, 2019 9:17pm -07:00 #pdx #portland
at Hotel Vue

Mountain View, California • Wed, May 1, 2019 8:42pm

37.381403 -122.074277

Mountain View, CA, United States • 49°F

34 Coins

Wed, May 1, 2019 8:42pm -07:00

older