Aaron Parecki

#oauth

• OAuth

  Aaron Parecki

  Sat, Feb 4, 2017 11:35am -08:00

  Hi, I'm Aaron Parecki. I write about OAuth here, and I give talks about OAuth 2.0. Below you'll find my recent posts about various OAuth-related things, including talks I'm giving. I've also written two community resources about OAuth:

  OAuth 2.0 Simplified is a guide to OAuth 2.0 focused on writing clients that gives a clear overview of the spec at an introductory level.

  In 2017, I published a longer version of this guide as a book, available on oauth.com as well as a print version. The book guides you through building an OAuth server, and covers many details that are not part of the spec. I published this book in conjunction with Okta.

  Portland, Oregon

  #oauth #oauth2

  Sat, Feb 4, 2017 11:35am -08:00

• IETF 109 Bangkok

  Nov

  14

  Nov

  …

  Nov

  20

  November 14-20, 2020
  7 days

  Bangkok Marriott Marquis Queen's Park

  แขวงคลองเตย, จังหวัดกรุงเทพมหานคร, THA

  #ietf #oauth #okta

  permalink
• IETF 108 Madrid

  Jul

  25

  Jul

  …

  Jul

  31

  July 25-31, 2020
  7 days

  Meliá Castilla

  Madrid, Comunidad de Madrid, ES

  #ietf #oauth #okta

  permalink
• OAuth Security Workshop

  Jul

  22

  Jul

  23

  Jul

  24

  July 22-24, 2020
  3 days

  Scandic Nidelven

  Trondheim, Trøndelag, NOR

  #oauth #okta

  permalink
• IIW XXX

  Apr

  28

  Apr

  29

  Apr

  30

  April 28-30, 2020
  3 days

  Computer History Museum

  Mountain View, California, US

  #oauth #okta #iiw #identity

  permalink
• Okta Developer Workshop Boston

  Apr

  23

  April 23, 2020 1:00pm - 3:30pm (-0400)

  #okta #oauth

  permalink
• Hands-on Introduction to OAuth 2.0

  Apr

  6

  April 6, 2020 11:00am - 2:00pm (-0700)

  Portland, Oregon

  #oauth #oreilly #webinar

  permalink
• Randall Degges https://twitter.com/rdegges

  Currently watching @aaronpk's talk on all the new stuff in #oauth and #openidconnect at #Oktane20Live <3333

  Portland, Oregon • 48°F

  #oauth #openidconnect #Oktane20Live

  Wed, Apr 1, 2020 7:00pm +00:00 (liked on Wed, Apr 1, 2020 2:45pm -07:00)
• What's New with OAuth and OpenID Connect?

  Apr

  1

  April 1, 2020 12:00pm - 1:00pm (-0700)

  Online

  Oktane20 Live

  View Slides

  #oauth #oidc #oktane #oktane20

  permalink
• Oktane20

  Apr

  1

  Apr

  2

  April 1-2, 2020
  

  Online

  

  #okta #oktane #oktane20 #oauth

  permalink
• 

  Just published a talk I gave at a virtual conference: How to Hack OAuth
  
  It's been fun to be able to "speak" at conferences in a highly edited format instead of winging it on stage! I hope it's more fun to watch as a viewer too!
  
  https://www.youtube.com/watch?v=aU9RsE4fcRM

  Portland, Oregon • 42°F

  21 likes 4 reposts 1 mention

  #oktadev #oauth

  Tue, Mar 31, 2020 11:16am -07:00
• How to Hack OAuth

  Mar

  20

  March 20, 2020 6:35am - 7:05am (-0700)

  Online

  Spring Live

  View Slides

  Watch Video

  #oauth

  permalink
• 

  Going live in about an hour at Spring Live, doing a talk on how to hack OAuth!
  
  Join here ➡️ https://connect.tanzu.vmware.com/Spring_Live.html
  
  Welcome to the new world of virtual conferences!

  

  Portland, Oregon • 53°F

  7 likes 3 reposts 2 replies 1 mention

  #oauth

  Fri, Mar 20, 2020 5:54am -07:00
• Spring Live Conference

  Mar

  19

  Mar

  20

  March 19-20, 2020
  

  Online

  #oauth

  permalink
• 

  The first draft of OAuth 2.1 is out! Thanks so much to @tlodderstedt and @DickHardt for their work on this!
  
  https://aaronparecki.com/2020/03/11/14/oauth-2-1

  Portland, Oregon • 54°F

  61 likes 27 reposts 2 replies 1 mention

  #oauth

  Wed, Mar 11, 2020 5:32pm -07:00
• OAuth WG

  First Draft of OAuth 2.1

  Aaron Parecki

  Wed, Mar 11, 2020 5:22pm -07:00

  I'm happy to share that Dick and Torsten and I have published a first draft of OAuth 2.1. We've taken the feedback from the discussions on the list and incorporated that into the draft.

  tools.ietf.org/html/draft-parecki-oauth-v2-1-01

  A summary of the differences between this draft and OAuth 2.0 can be found in section 12, and I've copied them here below.

  This draft consolidates the functionality in OAuth 2.0 (RFC6749), OAuth 2.0 for Native Apps (RFC8252), Proof Key for Code Exchange (RFC7636), OAuth 2.0 for Browser-Based Apps (I-D.ietf-oauth-browser-based-apps), OAuth Security Best Current Practice (I-D.ietf-oauth-security-topics), and Bearer Token Usage (RFC6750).

  Where a later draft updates or obsoletes functionality found in the original [RFC6749], that functionality in this draft is updated with the normative changes described in a later draft, or removed entirely.

  A non-normative list of changes from OAuth 2.0 is listed below:

  • The authorization code grant is extended with the functionality from PKCE ([RFC7636]) such that the only method of using the authorization code grant according to this specification requires the addition of the PKCE mechanism
  • Redirect URIs must be compared using exact string matching as per Section 4.1.3 of [I-D.ietf-oauth-security-topics]
  • The Implicit grant ("response_type=token") is omitted from this specification as per Section 2.1.2 of [I-D.ietf-oauth-security-topics]
  • The Resource Owner Password Credentials grant is omitted from this specification as per Section 2.4 of [I-D.ietf-oauth-security-topics]
  • Bearer token usage omits the use of bearer tokens in the query string of URIs as per Section 4.3.2 of [I-D.ietf-oauth-security-topics] * Refresh tokens must either be sender-constrained or one-time use as per Section 4.12.2 of [I-D.ietf-oauth-security-topics]

  tools.ietf.org/html/draft-parecki-oauth-v2-1-01#section-12

  I'm excited for the direction this is taking, and it has been a pleasure working with Dick and Torsten on this so far. My hope is that this first draft can serve as a good starting point for our future discussions!

  61 likes 27 reposts 2 replies 4 mentions

  #oauth #oauth2 #ietf #oauth21

  Wed, Mar 11, 2020 5:22pm -07:00
• Apple Relaxes Sign in with Apple Guidelines - Dick Hardt - Medium (medium.com)

  Portland, Oregon • 40°F

  #apple #oauth

  Sun, Mar 8, 2020 9:23am -07:00
• Alexander Clouter / oauth2-worker · GitLab (gitlab.com)

  Houston, Texas • 72°F

  #oauth #javascript #spa

  Thu, Mar 5, 2020 6:37pm -06:00
• 

  The second video in my "OAuth in Five Minutes" series is up!
  
  🎥 "What's the difference between confidential and public clients?"
  
  https://www.youtube.com/watch?v=5cQNwifDq1U

  Portland, Oregon • 54°F

  20 likes 6 reposts 2 replies

  #oauth #video #okta #oktadev

  Thu, Feb 27, 2020 12:47pm -08:00
• OAuth WG

  Implicit flow in the Security BCP draft -14

  Aaron Parecki

  Wed, Feb 12, 2020 3:43pm -08:00

  Hi all, I'm reading through the latest draft of the Security BCP, and noticed something I was hoping to get some clarification on. From the latest draft -14 section 2.1.2:

  In order to avoid these issues, clients SHOULD NOT use the implicit grant (response type "token") or other response types issuing access tokens in the authorization response, unless access token injection in the authorization response is prevented and the aforementioned token leakage vectors are mitigated.

  My understanding is that there is no way to prevent access token injection in the authorization response with just OAuth. It's only once you introduce OpenID Connect that it becomes possible to prevent ID token injection. If my understanding is correct, then it seems like it would be more appropriate for the security BCP to say something like "access tokens MUST NOT be issued via the implicit grant." That would technically still leave open the possibility of using the hybrid response types in OIDC as long as the access token is delivered via the authorization code exchange, but clarifies that there is no way to protect the delivering access tokens via the implicit grant.

  So my question for the list is am I forgetting about some way to prevent this attack in OAuth? If not, can we rephrase this section of the Security BCP to better clarify the intent here?

  Portland, Oregon • 47°F

  #oauth #ietf #implicit

  Wed, Feb 12, 2020 3:43pm -08:00
• Dr. Fett https://twitter.com/dfett42

  Version -14 of the #OAuth 2.0 #Security Best Current Practices Draft is out! https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14

  Alaska Flight 386 PDX to SFO in Albany, Oregon • 43°F

  #OAuth #Security

  Mon, Feb 10, 2020 6:44pm +00:00 (liked on Mon, Feb 10, 2020 5:49pm -08:00)