Aaron Parecki

#OAuth

• OAuth

  Aaron Parecki

  Sat, Feb 4, 2017 11:35am -08:00

  Hi, I'm Aaron Parecki. I write about OAuth here, and I give talks about OAuth 2.0. Below you'll find my recent posts about various OAuth-related things, including talks I'm giving. I've also written two community resources about OAuth:

  OAuth 2.0 Simplified is a guide to OAuth 2.0 focused on writing clients that gives a clear overview of the spec at an introductory level.

  In 2017, I published a longer version of this guide as a book, available on oauth.com as well as a print version. The book guides you through building an OAuth server, and covers many details that are not part of the spec. I published this book in conjunction with Okta.

  Portland, Oregon

  #oauth #oauth2

  Sat, Feb 4, 2017 11:35am -08:00

• IETF 109 Bangkok

  Nov

  14

  Nov

  …

  Nov

  20

  November 14-20, 2020
  7 days

  Bangkok Marriott Marquis Queen's Park

  แขวงคลองเตย, จังหวัดกรุงเทพมหานคร, THA

  #ietf #oauth #okta

  permalink
• IETF 108 Madrid

  Jul

  25

  Jul

  …

  Jul

  31

  July 25-31, 2020
  7 days

  Meliá Castilla

  Madrid, Comunidad de Madrid, ES

  #ietf #oauth #okta

  permalink
• OAuth Security Workshop

  Jul

  22

  Jul

  23

  Jul

  24

  July 22-24, 2020
  3 days

  Scandic Nidelven

  Trondheim, Trøndelag, NOR

  #oauth #okta

  permalink
• IIW XXX

  Apr

  28

  Apr

  29

  Apr

  30

  April 28-30, 2020
  3 days

  Computer History Museum

  Mountain View, California, US

  #oauth #okta #iiw #identity

  permalink
• Hands-on Introduction to OAuth 2.0

  Apr

  6

  April 6, 2020 11:00am - 2:00pm (-0800)

  Portland, Oregon

  #oauth #oreilly #webinar

  permalink
• Oktane 20

  Mar

  30

  Apr

  2

  March 30 through April 2, 2020
  4 days

  Moscone West

  San Francisco, California, US

  #okta #oauth

  permalink
• IETF 107 Vancouver

  Mar

  23

  Mar

  …

  Mar

  27

  March 23-27, 2020
  5 days

  Hyatt Regency Vancouver

  Vancouver, British Columbia, CA

  #ietf #oauth #okta

  permalink
• OAuth WG

  Implicit flow in the Security BCP draft -14

  Aaron Parecki

  Wed, Feb 12, 2020 3:43pm -08:00

  Hi all, I'm reading through the latest draft of the Security BCP, and noticed something I was hoping to get some clarification on. From the latest draft -14 section 2.1.2:

  In order to avoid these issues, clients SHOULD NOT use the implicit grant (response type "token") or other response types issuing access tokens in the authorization response, unless access token injection in the authorization response is prevented and the aforementioned token leakage vectors are mitigated.

  My understanding is that there is no way to prevent access token injection in the authorization response with just OAuth. It's only once you introduce OpenID Connect that it becomes possible to prevent ID token injection. If my understanding is correct, then it seems like it would be more appropriate for the security BCP to say something like "access tokens MUST NOT be issued via the implicit grant." That would technically still leave open the possibility of using the hybrid response types in OIDC as long as the access token is delivered via the authorization code exchange, but clarifies that there is no way to protect the delivering access tokens via the implicit grant.

  So my question for the list is am I forgetting about some way to prevent this attack in OAuth? If not, can we rephrase this section of the Security BCP to better clarify the intent here?

  Portland, Oregon • 47°F

  #oauth #ietf #implicit

  Wed, Feb 12, 2020 3:43pm -08:00
• Dr. Fett https://twitter.com/dfett42

  Version -14 of the #OAuth 2.0 #Security Best Current Practices Draft is out! https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14

  Alaska Flight 386 PDX to SFO in Albany, Oregon • 43°F

  #OAuth #Security

  Mon, Feb 10, 2020 6:44pm +00:00 (liked on Mon, Feb 10, 2020 5:49pm -08:00)
• Hands-on Introduction to OAuth 2.0

  Feb

  3

  February 3, 2020 11:00am - 2:00pm (-0800)

  Portland, Oregon

  #oauth #oreilly #webinar

  permalink
• 

  @github any update on when users will be able to edit OAuth scopes?
  
  This page says it's coming in the future https://developer.github.com/v3/guides/basics-of-authentication/#checking-granted-scopes
  
  This page says it's currently possible https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#requested-scopes-and-granted-scopes
  
  I tried a test case and it doesn't appear to be live yet.

  45.52955, -122.64632

  1 like 1 repost 1 reply

  #oauth #github #scope

  Fri, Jan 24, 2020 8:32am -08:00
• Hardening Refresh Tokens (leastprivilege.com)

  Portland, Oregon • 45°F

  #oauth #security

  Wed, Jan 22, 2020 6:49am -08:00
• 

  Why do we even have OAuth at all? Take five minutes and find out! New video! 🎥👉 https://youtu.be/KT8ybowdyr0

  Portland, Oregon, USA • 44°F

  8 likes 3 reposts 2 replies 2 mentions

  #oauth #okta

  Tue, Jan 21, 2020 7:52am -08:00
• 

  oh no, please tell me this help article from Facebook is just way out of date...
  
  https://www.facebook.com/help/249817848463304
  
  "Why am I being asked to enter my email login information while trying to reset my Facebook password?"
  
  They can't still be doing this, right?

  Portland, Oregon • 43°F

  3 likes 1 reply

  #facebook #oauth #security

  Fri, Jan 17, 2020 2:46pm -08:00
• 

  I often talk about the tradeoffs between local and remote access token validation in my OAuth presentations. This blog post by my coworker is a nice demonstration of that in PHP! https://developer.okta.com/blog/2020/01/15/protecting-a-php-api-with-oauth

  Portland, Oregon • 42°F

  1 like 2 reposts

  #oauth #php

  Fri, Jan 17, 2020 1:21pm -08:00
• 

  I'm working on a 2020 revision to my book, OAuth 2.0 Simplified!
  
  https://oauth2simplified.com
  
  If you find a typo or other error that I am not already aware of, I will send you an OAuth cat sticker! Send me an email or DM with details if you find something!

  

  Portland, Oregon • 37°F

  40 likes 13 reposts 1 reply

  #oauth

  Tue, Jan 14, 2020 10:54am -08:00
• Vladimir Dzhuvinov https://twitter.com/dzhuvi

  #OAuth 2.1 - time to consolidate the patchwork of specs and BCPs into one clean RFC, with all deprecated stuff removed?

  Portland, Oregon • 43°F

  #OAuth

  Tue, Dec 17, 2019 5:45pm +00:00 (liked on Tue, Dec 17, 2019 2:35pm -08:00)
• Florian Weil https://twitter.com/derhess

  Again a great webinar by @aaronpk about protecting your #api with #oauth https://youtu.be/8c1SOuO4mPc #webdev #auth #security #identity #coding

  Portland, Oregon • 40°F

  #api #oauth #webdev #auth #security #identity #coding

  Sun, Dec 15, 2019 2:49pm +00:00 (liked on Sun, Dec 15, 2019 8:14am -08:00)
• Matt Raible https://twitter.com/mraible

  OAuth's implicit flow was created before browsers supported CORS. Let's deprecate it!
  
  Auth code flow + PKCE is the future. Cheers to #OAuth 2.1. 🎉🍻

  Portland, Oregon • 48°F

  #OAuth

  Fri, Dec 13, 2019 7:04pm +00:00 (liked on Fri, Dec 13, 2019 11:04am -08:00)
• 

  Some more info on OAuth 2.1 from the @oktadev blog:
  
  OAuth 2.1: How many RFCs does it take to change a light bulb?
  
  https://developer.okta.com/blog/2019/12/13/oauth-2-1-how-many-rfcs

  Portland, Oregon • 46°F

  31 likes 5 reposts 6 replies 1 mention

  #oauth #oauth2

  Fri, Dec 13, 2019 10:29am -08:00