61°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • Wizages - Sam Patzer https://twitter.com/Wizages   •   Jun 6
    So talked with the Apple engineers here at WWDC:
    They don't have that endpoint, they also will not expose user_info or a revocation endpoint. The user_info will only be sent once and only once then you will only get a unique id again. Only scopes available now are name and email
    Aaron Parecki
    Brilliant, thanks for the info!

    Have you been able to successfully request name and email scope yet? It wasn't working in my testing.
    Portland, Oregon
    Thu, Jun 6, 2019 2:22pm -07:00
  • mefarazath https://github.com/mefarazath   •   Jun 6

    #1 Having 'scope' parameter in the authorization request seems to cause login failures

    Aaron Parecki
    Thank you! You helped me track down a deeper problem!

    It turns out that you're right, having `scope` in the request causes Apple to return a 500 server error when confirming the login on their site before it redirects back to the app.

    **However**, the really weird part is that Apple apparently completely ignores the `scope` parameter the second time you log in to an app, so there is no error.

    The very first time I logged in to an app while testing this code I didn't include the `scope` parameter, so it worked. Then I added the parameter to see if I could get it to return an email address, and it didn't. It also didn't fail, because I had already logged in once.

    I was having trouble logging in with a new App ID I created, and this is the reason! I just tried removing the scope from my attempt and now I'm able to log in with new App IDs.

    This is very inconsistent behavior by Apple, so I hope they fix it later.
    Portland, Oregon, USA
    Thu, Jun 6, 2019 12:29pm -07:00
  • Tim Ysewyn @ πŸ‡§πŸ‡ͺ🏠 https://twitter.com/TYsewyn   •   Jun 6
    Why should the role be in the token if you have the userinfo endpoint? Or why should there even be a (list of) role(s) in the token if it’s only a means to have access to an endpoint? πŸ€”
    Aaron Parecki
    Some people like to use JWTs for access tokens or other self-encoded mechanisms. There are definitely trade-offs.
    Portland, Oregon
    Thu, Jun 6, 2019 12:20pm -07:00
  • Stephan https://twitter.com/Stephan007   •   Jun 6
    Nice write up! Question: if an authenticated user gets a new/extra role, does the server create a new JWT or is there a way to update the existing token?
    Aaron Parecki
    if your access tokens are just a reference to a record in a database (the hotel key is just a number, and the doors look up access info in a central server), then you can update the roles in the existing token.
    Portland, Oregon
    Thu, Jun 6, 2019 12:13pm -07:00
  • Stephan https://twitter.com/Stephan007   •   Jun 6
    Nice write up! Question: if an authenticated user gets a new/extra role, does the server create a new JWT or is there a way to update the existing token?
    Aaron Parecki
    The analogy continues... with JWT access tokens, that's like encoding access data into the hotel key card. You'd have to go back to the front desk to get a new card.
    Portland, Oregon
    Thu, Jun 6, 2019 12:12pm -07:00
  • Stephan https://twitter.com/Stephan007   •   Jun 6
    Nice write up! Question: if an authenticated user gets a new/extra role, does the server create a new JWT or is there a way to update the existing token?
    Aaron Parecki
    The answer is it depends on how your access tokens / hotel key cards are implemented!
    Portland, Oregon
    Thu, Jun 6, 2019 12:11pm -07:00
  • Aaron Parecki
    at Case Study Coffee
    Portland, Oregon • Thu, June 6, 2019 10:54am
    45.519248 -122.68242
    More coffee
    Portland, OR, United States
    1 Coin
    Thu, Jun 6, 2019 10:54am -07:00
  • Wizages - Sam Patzer https://twitter.com/Wizages   •   Jun 6
    Do you know where you can find the .well-known/openid-configuration on the apple url?
    Do they even use it?
    Aaron Parecki
    I haven't found it yet. I wouldn't be surprised if they just don't have that endpoint
    Portland, Oregon
    1 like 4 replies
    Thu, Jun 6, 2019 10:46am -07:00
  • Aaron Parecki
    at Weissman Dental
    Portland, Oregon • Thu, June 6, 2019 9:16am
    45.519372 -122.683986
    not again 😬
    Portland, OR, United States
    1 Coin
    Thu, Jun 6, 2019 9:16am -07:00
  • nov matake https://twitter.com/nov
    apple_id gem v0.1.0 & documentation is ready. Enjoy Sign-in with Apple in Ruby. https://github.com/nov/apple_id/wiki
    Portland, Oregon
    Wed, Jun 5, 2019 3:19pm +00:00 (liked on Thu, Jun 6, 2019 6:51am -07:00)
  • bfulgham https://twitter.com/bfulgham
    WebKit on iOS has always been the same engine as macOS. It was just significantly constrained due to the technical limitations of early iPhones. In iOS 13 we have removed many of these old limitations.
    Portland, Oregon
    Tue, Jun 4, 2019 5:44pm +00:00 (liked on Thu, Jun 6, 2019 6:50am -07:00)
  • Aaron Parecki
    This book by @anomalily definitely helped me get a handle on my money situation. πŸ’΅ You should have seen me before. πŸ™ˆ And now her Kickstarter for the second print run is just shy of the $10,000 stretch goal! Let's get it over the top! πŸš€

    https://www.kickstarter.com/projects/anomalily/a-cats-guide-to-money-illustrated-purrsonal-finance-book
    Portland, Oregon, USA
    9 likes 3 reposts 1 mention
    Wed, Jun 5, 2019 7:20pm -07:00 #kickstarter #ohmydollar
  • Michael Woodburne https://twitter.com/MAWTechnology
    I am not an Apple guy. At all. But I can't help but love what they continue to do for user privacy. Great work @Apple
    Portland, Oregon
    Thu, Jun 6, 2019 1:36am +00:00 (liked on Wed, Jun 5, 2019 7:08pm -07:00)
  • Aaron Parecki
    at Pet Samaritan Clinic
    Portland, Oregon • Wed, June 5, 2019 5:08pm
    45.52305 -122.64009
    Bike trip to the vet with @indiewebcat! 😻
    Portland, OR, United States
    1 Coin
    Wed, Jun 5, 2019 5:08pm -07:00
  • Gokul Thirumalai https://twitter.com/gokult   •   Jun 5
    Thanks Alex. Where do you see the biggest gap that will help you push forward?
    Aaron Parecki
    The docs are also wrong in a few places. Happy to provide details via DM or email.
    Portland, Oregon, USA
    Wed, Jun 5, 2019 4:45pm -07:00
  • Gokul Thirumalai https://twitter.com/gokult   •   Jun 5
    Thanks Alex. Where do you see the biggest gap that will help you push forward?
    Aaron Parecki
    I have so many questions for you! I was able to create a proof of concept, but would love to know some of the missing details. The current documentation is not complete enough to make a working app, I had to guess things based on my knowledge of OIDC.

    https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple
    Portland, Oregon, USA
    1 reply
    Wed, Jun 5, 2019 4:40pm -07:00
  • Jake Feasel https://twitter.com/jakefeasel
    @oauth_2 Since PKCE use for Single Page Apps is becoming more popular, take a look at this library I've been working on to make it super easy to implement: https://www.npmjs.com/package/appauthhelper
    Portland, Oregon
    Wed, Jun 5, 2019 9:49pm +00:00 (liked on Wed, Jun 5, 2019 3:02pm -07:00)
  • Nate Angell https://twitter.com/xolotl   •   Jun 5
    Lawyer at @indiewebcamp: "Why isn't anyone at my GDPR unconference session?"
    Aaron Parecki
    you joke, but: https://indieweb.org/2018/D%C3%BCsseldorf/gdpr
    Portland, Oregon, USA
    2 likes 1 repost 2 replies
    Wed, Jun 5, 2019 12:41pm -07:00
  • Simon Rice https://twitter.com/_SimonRice   •   Jun 5
    Excellent thread - just to clarify with another example since Google do identity & calendar - if my app needs OAuth to (say) read playlist data specifically from Spotify via their dev API & do nothing whatsoever user ID related with them, I don’t need β€œSign In With Apple”?
    Aaron Parecki
    Yes that is my understanding reading their guidelines. Of course this remains to be seen how it will play out in practice.
    Portland, Oregon
    2 likes 1 reply
    Wed, Jun 5, 2019 10:33am -07:00
  • Aaron Parecki
    I had fun with this one: 7 Ways an OAuth Access Token is like a Hotel Key Card

    https://developer.okta.com/blog/2019/06/05/seven-ways-an-oauth-access-token-is-like-a-hotel-key-card
    Portland, Oregon, USA
    21 likes 9 reposts 2 replies 1 mention
    Wed, Jun 5, 2019 9:19am -07:00 #oauth
older

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • πŸŽ₯ YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • βš™οΈ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2026 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv