Aaron Parecki

#OAuth

OAuth

Sat, Feb 4, 2017 11:35am -08:00

Hi, I'm Aaron Parecki. I write about OAuth here, and I give talks about OAuth 2.0. Below you'll find my recent posts about various OAuth-related things, including talks I'm giving. I've also written two community resources about OAuth:

OAuth 2.0 Simplified is a guide to OAuth 2.0 focused on writing clients that gives a clear overview of the spec at an introductory level.

In 2017, I published a longer version of this guide as a book, available on oauth.com as well as a print version. The book guides you through building an OAuth server, and covers many details that are not part of the spec. I published this book in conjunction with Okta.

Portland, Oregon

#oauth #oauth2

Sat, Feb 4, 2017 11:35am -08:00

New York (JFK) to Los Angeles (LAX)

December 14, 2018 from 7:10am (-0500) to 10:36am (-0800)

Alaska Flight 420

Los Angeles (LAX) to Portland (PDX)

December 14, 2018 from 3:10pm to 5:44pm (-0800)

Alaska Flight 1083

Portland Intl in Portland

#oauth #okta

permalink
Seattle (SEA) to Portland (PDX)

December 11, 2018 from 6:55pm to 7:46pm (-0800)

Alaska Flight 2627

Portland (PDX) to New York (JFK)

December 11, 2018 at 9:22pm (-0800) until Dec 12 at 5:27am (-0500)

Alaska Flight 450

John F Kennedy Intl in New York

#okta #w3c #oauth

permalink
W3C Workshop on Strong Authentication & Identity

Dec

10

Dec

11

December 10, 2018 at 8:30am UTC-8

Microsoft Building 27

Redmond, Washington, US

#oauth #openid

permalink
Portland (PDX) to Seattle (SEA)

December 9, 2018 from 9:20pm to 10:19pm (-0800)

Alaska Flight 2268

Seattle Tacoma Intl in Seattle

#okta #w3c #oauth

permalink
Tom Scavo https://twitter.com/trscavo

The #OAuth implicit flow is taking a beating right now. See: OAuth 2.0 Security Best Current Practice https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10 and OAuth 2.0 for Browser-Based Apps https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-01

Los Angeles, California • 52°F

#OAuth

Thu, Dec 6, 2018 11:49pm +00:00 (liked on Thu, Dec 6, 2018 5:03pm -08:00)
NFC Card Emulation with ACR122u(PN532) (salmg.net)

Los Angeles, California • 62°F

#nfc #security #oauth

Sun, Dec 2, 2018 3:04pm -08:00
https://www.ietf.org/mail-archive/web/oauth/current/msg18477.html

OAUTH-WG

On Wed, Nov 7, 2018 at 7:20 AM Joseph Heenan <joseph at authlete.com> wrote:

> It may be worth slightly rewording 7.2 as it may encourage a growing misconception that all native apps must be public clients. With many devices now having embedded HSMs, we’ve seen increasing interest in mobile apps being dynamically (per-install) registered oauth2 private clients, and that model has a lot of advantages. (I’m not sure if we might see a similar model evolving for web apps.)

That's a great point, thanks. I've removed the reference to native apps being public clients since it doesn't really add anything to this spec if I have to caveat the description.

On Thu, Nov 15, 2018 at 12:58 PM Torsten Lodderstedt <torsten at lodderstedt.net> wrote:

> > > First of all the AS decides whether it issues refresh tokens or not. Having the ability does not mean the AS must do it. If you feel it’s safer to not do it. Fine.
> > Sure, and this should be mentioned then somewhere (either in the threats doc or in this proposed best practice doc). Not all end developers using these protocols fully understand the ramifications.
> @Aaron: I suggest this goes to the SPA BCP since this is client specific.

Thanks, I agree that this document should include some recommendations around refresh token handling. Looking at the discussion in this thread, it seems there are a few different strategies folks are taking. Since it seems like there isn't a strong consensus, it sounds like this would be better suited for the "Security Considerations" section, and to not make MUST/SHOULD recommendations, but rather just point out the issues. Any thoughts on that before I take a stab at writing something?

I've incorporated some of the other feedback here and published an updated version:

https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-01

Thanks for the feedback so far.

Portland, Oregon

#oauth

Mon, Nov 19, 2018 6:09pm -08:00
(datatracker.ietf.org)

Portland, Oregon • 52°F

#ietf #oauth #ietf103

Mon, Nov 19, 2018 3:49pm -08:00
Alright, I think we can call it. Between @tlodderstedt's OAuth Security Best Practices and OAuth 2.0 for Browser Apps, the Implicit Flow is dead.

https://tools.ietf.org/html/draft-ietf-oauth-security-topics-09

https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-00

https://medium.com/@torsten_lodderstedt/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926

Portland, Oregon, USA • 36°F

4 likes 5 reposts

#oauth #oauth2

Fri, Nov 9, 2018 8:57am -08:00
https://www.ietf.org/mail-archive/web/oauth/current/msg18468.html

OAUTH-WG

Thanks Hannes,

Since I wasn't able to give an intro during the meeting today, I'd like to share a little more context about this here as well.

At the Internet Identity Workshop in Mountain View last week, I led a session to collect feedback on recommendations for OAuth for browser based apps. During the session, we came up with a list of several points based on the collective experience of the attendees. I then tried to address all those points in this draft.

The goal of this is not to specify any new behavior, but rather to limit the possibilities that the existing OAuth specs provide, to ensure a secure implementation in browser based apps.

Thanks in advance for your review and feedback!

Portland, Oregon • 47°F

#oauth

Tue, Nov 6, 2018 11:13am +01:00
IETF 103 OAuth Meeting

Nov

6

November 6, 2018 at 11:20am UTC+7

#oauth

permalink
IETF 103 OAuth Meeting

Nov

5

November 5, 2018 at 9:00am UTC+7

#oauth

permalink
San Jose (SJC) to Portland (PDX)

October 26, 2018 from 9:10am to 10:45am (-0700)

Alaska Flight 407

Portland Intl in Portland

#oauth #okta #iiw

permalink
Listening to @tlodderstedt present some new OAuth 2.0 Security recommendations #iiw

Mountain View, California, USA • 60°F

2 likes

#oauth #iiw

Thu, Oct 25, 2018 10:06am -07:00
I'll be leading a session on OAuth for single page apps at 10:30! Room i. We'll try to come up with a list of best practices! #iiw

Mountain View, California, USA • 57°F

5 likes 2 reposts

#oauth #iiw

Wed, Oct 24, 2018 9:59am -07:00
Moving On from OAuth 2? – Justin Richer – Medium (medium.com)

Mountain View, California • 60°F

#oauth #oauth2 #iiw

Tue, Oct 23, 2018 10:47am -07:00
Nürnberg (NUE) to Frankfurt (FRA)

October 22, 2018 from 11:15am to 12:00pm (+0200)

Lufthansa Flight 147

Frankfurt (FRA) to Seattle (SEA)

October 22, 2018 from 2:25pm (+0200) to 4:10pm (-0700)

Condor Flight 2032

Seattle (SEA) to San Jose (SJC)

October 22, 2018 from 5:30pm to 7:33pm (-0700)

Alaska Flight 322

Norman Y Mineta San Jose Intl in San Jose

#oauth #indiewebcamp #okta #iiw

permalink
Understanding and Implementing OAuth 2.0

Oct

18

October 18, 2018 at 9:00am UTC+2

tollwerk GmbH | TYPO3- & Werbeagentur Nürnberg

Nürnberg, Bayern, DE

#oauth

permalink
Portland (PDX) to Seattle (SEA)

October 15, 2018 from 2:15pm to 3:08pm (-0700)

Alaska Flight 2642

Seattle (SEA) to Frankfurt (FRA)

October 15, 2018 at 6:10pm (-0700) until Oct 16 at 1:35pm (+0200)

Condor Flight 2033

Frankfurt (FRA) to Nürnberg (NUE)

October 16, 2018 from 5:20pm to 6:00pm (+0200)

Lufthansa Flight 148

Nürnberg in Nürnberg

#oauth #indiewebcamp

permalink
Congrats @strava on some great looking #OAuth security updates to your API! https://developers.strava.com/docs/oauth-updates/

Portland, Oregon, USA • 64°F

2 likes 2 reposts

#oauth

Mon, Oct 15, 2018 1:45pm -07:00