59°F 8:47am

Aaron Parecki

#oauth

  • Las Vegas (LAS) to Portland (PDX)
    to
    Alaska Flight 627
    Portland, Oregon
    #oktane #oauth
    permalink
  • Oktane 2017
    Aug
    28
    Aug
    29
    Aug
    30
    August 28, 2017 at 5:30pm UTC-7
    Aria Resort
    Las Vegas, NV
    #okta #oktane #oauth #oktane16
    permalink
  • Portland (PDX) to Seattle (SEA)
    to
    Alaska Flight 3473
    Seattle (SEA) to Las Vegas (LAS)
    to
    Alaska Flight 684
    Portland, Oregon
    #oktane #oauth
    permalink
  • It's real now! Here's a sneak peek of the cover of my new book "OAuth 2.0 Simplified", released at the end of this month! #oauth #oauth2
    Portland, Oregon
    62 likes 27 replies
    #oauth #oauth2
  • Impact of iOS 11 no longer providing shared cookies between Safari, Safari View Controller instances · Issue #120 · openid/AppAuth-iOS (github.com)
    Portland, Oregon
    #ios #ios11 #oauth
  • I've seen this done a few ways: • The Device Flow: https://tools.ietf.org/html/draft-ietf-oauth-device-flow which is what you see on browserless devices like the Apple TV logging in to a cable provider from your phone. A short code is generated and displayed on the screen, you launch a browser on your phone and enter the code. This would work just as well from the command line on the same device. • I've also seen apps use the authorization flow, by displaying the authorization URL on the command line prompt and instructing the user to open it in a browser. The redirect URI is a hosted web page that displays the authorization code and instructs the user to paste it back at the terminal. • The command line app can launch an HTTP server on localhost and use that as the redirect URL for the authorization code flow. This option ends up being the most seamless since it works like a traditional flow without any special instructions to the user.
    Portland, Oregon, USA
    #oauth #oauth2
  • Google Docs phishing attack underscores OAuth security risks | ITworld (www.itworld.com)
    Portland, Oregon
    #oauth #press #inthewild

  • Day 59: Updated the Logo on IndieAuth.com's GitHub Login #100DaysOfIndieWeb

    Fri, Feb 17, 2017 8:56pm -08:00

    This evening, Tantek pointed out to me that while he was logging in to the wiki via IndieAuth.com for the first time on a new computer, there was something a little strange about the IndieAuth.com flow...

    Here's the screenshot of what he saw:

    I definitely agree this is somewhat disconcerting. So here's what I did to fix it.

    I first didn't realize that if you don't upload an application icon to GitHub when you create an application, it will use the profile photo of the user who created the application for the OAuth screen. I guess I should have remembered this, since I included a screenshot of GitHub's OAuth screen in the User Interface chapter of my OAuth book.

    I first assumed that I would have to transfer the ownership the application to an organization that has the logo I wanted to appear. I did that, and encountered a strange message on GitHub when I moved the application from my aaronpk account to the new IndieAuth organization.

    I have absolutely no idea what this message is trying to tell me. I reported my confusion to a friend who works at GitHub, so we'll see if they fix that soon.

    Afterwards, I then realized I didn't in fact need to transfer the ownership of the application, and could just upload an application icon instead. Much easier!

    So I uploaded a logo to GitHub, and also changed the name of the application from "IndieAuth" to "IndieAuth.com". This is part of my long-standing regret of naming this service IndieAuth, since it's also now a protocol that anyone can implement and is not actually tied to me running this service. I wish I could change the name of this service, but too many people are referencing indieauth.com in their code now, especially since it's one of the few remaining OpenID providers left.

    I tried adding a description of the application, hoping that it would appear on the GitHub OAuth screen, but sadly it did not! (I also reported that to GitHub, so I'll find out soon if it's a bug or if I'm misunderstanding their help text.)

    After all that, the end result is that now when you sign in to something using IndieAuth.com with your GitHub account for the first time, you no longer see my face!

    Hopefully this is much less shocking for people who are using this! I'm not a huge fan of the logo, although I do like the "clever" shape of the "A" with the negative space forming the "i". Maybe I just need to drop the outline. Perhaps that will be a future #100days project!

    Portland, Oregon
    1 like 1 mention
    #100daysofindieweb #indieauth.com #oauth
  • When I see an access token that begins with "eyJ", I base64-decode the middle part to see what data they store in it. #oauth #jwt #security
    Portland, Oregon, USA
    14 likes 3 reposts 1 reply
    #oauth #jwt #security
  • Oakland (OAK) to Portland (PDX)
    to
    Alaska Flight 2644
    Portland, Oregon
    #oauth #consulting
    permalink

  • Day 35: Handling Redirects of Updated Blog Posts #100DaysOfIndieWeb

    Tue, Jan 24, 2017 9:26pm -08:00

    My blog post from 2012 titled "OAuth 2 Simplified" is my most popular article on my website by an order of magnitude. It is referenced by over 400 repositories on GitHub, and ranks very high in searches about OAuth. I still get tweets over four years later from people who discover it for the first time and are very appreciative of finding a succinct summary of the protocol. I wrote it in 2012, when OAuth 2.0 was still relatively new, and it was based on the best practices at the time. 

    Today I was reviewing the post, and realized that there were quite a few places where the industry standards have changed either in the terminology or in the best practices. I decided that I wanted to publish a new version of the post updated for 2017 based on what has happened in the industry over the last few years. I didn't feel comfortable updating the post at its current URL, from 2012, since that seemed like it would be rewriting history. But at the same time, I don't want to make people landing on that post from a web search or link from a GitHub repository to have to click another time to see the latest version of the post.

    I decided on an interesting compromise. I took the existing post, rewrote parts of it, and published it at a new URL: https://aaronparecki.com/oauth-2-simplified/

    I then took the old post, copied it verbatim, and published it at a new URL dated the same date as the old post: https://aaronparecki.com/2012/07/29/7/oauth2-simplified

    The final step was creating a redirect from the post's old URL https://aaronparecki.com/2012/07/29/2/oauth2-simplified (note the "2" vs the "7") to the new URL that has no date component. (This is the part that required a new bit of code for p3k, in order to handle redirects from posts that would have otherwise matched a post permalink.)

    My plan going forward is to always keep the version at https://aaronparecki.com/oauth-2-simplified/ up to date, and to keep snapshots of older versions at date-based permalinks at the time when I publish an updated version. I link to the previous versions of the post at the bottom of the primary post. (Manually for now, until I decide this is an important enough feature to automate). 

    I think this strike the right balance between providing visitors with the most current information with the least amount of effort, while still preserving the history of the older versions.

    Oakland, California
    1 mention
    #100daysofindieweb #oauth
  • Portland (PDX) to Oakland (OAK)
    to
    Alaska Flight 2563
    Portland, Oregon
    #oauth #consulting
    permalink
  • @jaredhanson oh funny! I got token_endpoint from OpenID Connect: http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata I will take a look at the OAuth 2 link rels tho.
    Portland, Oregon, USA
    #oauth2 #webmention #oauth
  • Support Universal Links (developer.apple.com)
    Cannon Beach, Oregon
    #oauth #apps #ios
  • a little light beach reading: "OAuth 2.0 for Native Apps" #oauth
    Cannon Beach, Oregon, USA
    6 likes 2 replies
    #oauth
  • @glenndayton Thanks! Glad you like it! I just published a more thorough guide on https://oauth.com you might want to look at too!
    Portland, Oregon, USA
    2 replies
    #oauth
  • Las Vegas (LAS) to Portland (PDX)
    to
    Alaska Flight 629
    Portland, Oregon
    #oauth #okta #oktane #oktane16
    permalink
  • Happy to announce https://oauth.com - a guide to building OAuth 2.0 servers! #oktane16
    Las Vegas, Nevada, USA
    33 likes 22 reposts 2 replies 3 mentions
    #oktane16 #oauth #oauth2
  • Oktane 2016
    Aug
    29
    Aug
    30
    Aug
    31
    August 29, 2016 at 5:30pm UTC-8
    Aria Resort
    Las Vegas, NV
    #okta #oktane #oauth #oktane16
    permalink
  • Just launched a big reorganization of https://oauth.net which should make it easier to find things! πŸ”’ #oauth2 #oktane16
    Las Vegas, Nevada, USA
    7 likes 2 reposts
    #oauth2 #oktane16 #oauth