Aaron Parecki

#oauth

• OAuth

  Sat, Feb 4, 2017 11:35am -08:00

  

  Hi, I'm Aaron Parecki. I write about OAuth here, and I give talks about OAuth 2.0. Below you'll find my recent posts about various OAuth-related things, including talks I'm giving. I've also written two community resources about OAuth:

  OAuth 2.0 Simplified is a guide to OAuth 2.0 focused on writing clients that gives a clear overview of the spec at an introductory level.

  In 2017, I published a longer version of this guide as a book, available on oauth.com as well as a print version. The book guides you through building an OAuth server, and covers many details that are not part of the spec. I published this book in conjunction with Okta.

  Portland, Oregon

  #oauth #oauth2

  Sat, Feb 4, 2017 11:35am -08:00

• Newark (EWR) to Seattle (SEA)

  February 8, 2019 from 5:05pm (-0500) to 8:30pm (-0800)

  Alaska Flight 11

  Seattle (SEA) to Portland (PDX)

  February 8, 2019 from 9:45pm to 10:35pm (-0800)

  Alaska Flight 976

  

  Portland Intl in Portland

  #okta #oauth

  permalink
• OAuth: When things go wrong

  Feb

  5

  February 5, 2019 at 3:50pm UTC-5

  New York Hilton Midtown, 6th Avenue, New York, NY, USA

  #oauth #okta

  permalink
• O'Reilly Software Architecture Conference

  Feb

  5

  Feb

  6

  February 5, 2019 at 8:15am UTC-5

  New York Hilton Midtown

  New York, New York, US

  #okta #oauth

  permalink
• Portland (PDX) to Newark (EWR)

  February 4, 2019 from 7:45am (-0800) to 4:00pm (-0500)

  Alaska Flight 54

  

  Newark Liberty Intl in Newark

  #okta #oauth

  permalink
• The State of the Implicit Flow in OAuth2 | brockallen (brockallen.com)

  Portland, Oregon • 53°F

  #oauth #oauth2

  Thu, Jan 3, 2019 2:27pm -08:00
• A pretty good step-by-step walkthrough of the @oauth2 PKCE flow by @afitnerd https://developer.okta.com/blog/2018/12/13/oauth-2-for-native-and-mobile-apps
  
  and yes it's pronounced "pixie"

  Springfield Gardens, New York • 50°F

  2 likes 3 reposts 1 reply 1 mention

  #oauth #pkce

  Fri, Dec 14, 2018 12:19pm -05:00
• New York (JFK) to Los Angeles (LAX)

  December 14, 2018 from 7:10am (-0500) to 10:36am (-0800)

  Alaska Flight 420

  Los Angeles (LAX) to Portland (PDX)

  December 14, 2018 from 11:00am to 1:35pm (-0800)

  Alaska Flight 1795

  

  Portland Intl in Portland

  #oauth #okta

  permalink
• Take 3 minutes to learn how OAuth access tokens are like a hotel keycard! 🔐💳
  https://www.youtube.com/watch?v=BNEoKexlmA4 (Filmed last week at my hotel!)

  9 likes 7 reposts 1 reply

  #oauth

  Thu, Dec 13, 2018 2:54pm -05:00
• What is going on with OAuth 2.0? And why you should not use it for authentication. (medium.com)

  New York, New York • 35°F

  #oauth

  Thu, Dec 13, 2018 1:16pm -05:00
• Seattle (SEA) to Portland (PDX)

  December 11, 2018 from 6:55pm to 7:46pm (-0800)

  Alaska Flight 2627

  Portland (PDX) to New York (JFK)

  December 11, 2018 at 9:22pm (-0800) until Dec 12 at 5:27am (-0500)

  Alaska Flight 450

  

  John F Kennedy Intl in New York

  #okta #w3c #oauth

  permalink
• W3C Workshop on Strong Authentication & Identity

  Dec

  10

  Dec

  11

  December 10, 2018 at 8:30am UTC-8

  Microsoft Building 27

  Redmond, Washington, US

  #oauth #openid

  permalink
• Portland (PDX) to Seattle (SEA)

  December 9, 2018 from 9:20pm to 10:19pm (-0800)

  Alaska Flight 2268

  

  Seattle Tacoma Intl in Seattle

  #okta #w3c #oauth

  permalink
• Tom Scavo https://twitter.com/trscavo

  The #OAuth implicit flow is taking a beating right now. See: OAuth 2.0 Security Best Current Practice https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10 and OAuth 2.0 for Browser-Based Apps https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-01

  Los Angeles, California • 52°F

  #OAuth

  Thu, Dec 6, 2018 11:49pm +00:00 (liked on Thu, Dec 6, 2018 5:03pm -08:00)
• NFC Card Emulation with ACR122u(PN532) (salmg.net)

  Los Angeles, California • 62°F

  #nfc #security #oauth

  Sun, Dec 2, 2018 3:04pm -08:00
• https://www.ietf.org/mail-archive/web/oauth/current/msg18477.html

  OAUTH-WG
  On Wed, Nov 7, 2018 at 7:20 AM Joseph Heenan <joseph at authlete.com> wrote:
  
  > It may be worth slightly rewording 7.2 as it may encourage a growing misconception that all native apps must be public clients. With many devices now having embedded HSMs, we’ve seen increasing interest in mobile apps being dynamically (per-install) registered oauth2 private clients, and that model has a lot of advantages. (I’m not sure if we might see a similar model evolving for web apps.)
  
  That's a great point, thanks. I've removed the reference to native apps being public clients since it doesn't really add anything to this spec if I have to caveat the description.
  
  On Thu, Nov 15, 2018 at 12:58 PM Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
  
  > > > First of all the AS decides whether it issues refresh tokens or not. Having the ability does not mean the AS must do it. If you feel it’s safer to not do it. Fine.
  > > Sure, and this should be mentioned then somewhere (either in the threats doc or in this proposed best practice doc). Not all end developers using these protocols fully understand the ramifications.
  > @Aaron: I suggest this goes to the SPA BCP since this is client specific.
  
  Thanks, I agree that this document should include some recommendations around refresh token handling. Looking at the discussion in this thread, it seems there are a few different strategies folks are taking. Since it seems like there isn't a strong consensus, it sounds like this would be better suited for the "Security Considerations" section, and to not make MUST/SHOULD recommendations, but rather just point out the issues. Any thoughts on that before I take a stab at writing something?
  
  I've incorporated some of the other feedback here and published an updated version:
  
  https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-01
  
  Thanks for the feedback so far.

  Portland, Oregon

  #oauth

  Mon, Nov 19, 2018 6:09pm -08:00
• (datatracker.ietf.org)

  Portland, Oregon • 52°F

  #ietf #oauth #ietf103

  Mon, Nov 19, 2018 3:49pm -08:00
• Alright, I think we can call it. Between @tlodderstedt's OAuth Security Best Practices and OAuth 2.0 for Browser Apps, the Implicit Flow is dead.
  
  https://tools.ietf.org/html/draft-ietf-oauth-security-topics-09
  
  https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-00
  
  https://medium.com/@torsten_lodderstedt/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926

  Portland, Oregon, USA • 36°F

  4 likes 5 reposts

  #oauth #oauth2

  Fri, Nov 9, 2018 8:57am -08:00
• https://www.ietf.org/mail-archive/web/oauth/current/msg18468.html

  OAUTH-WG
  Thanks Hannes,
  
  Since I wasn't able to give an intro during the meeting today, I'd like to share a little more context about this here as well.
  
  At the Internet Identity Workshop in Mountain View last week, I led a session to collect feedback on recommendations for OAuth for browser based apps. During the session, we came up with a list of several points based on the collective experience of the attendees. I then tried to address all those points in this draft.
  
  The goal of this is not to specify any new behavior, but rather to limit the possibilities that the existing OAuth specs provide, to ensure a secure implementation in browser based apps.
  
  Thanks in advance for your review and feedback!

  Portland, Oregon • 47°F

  #oauth

  Tue, Nov 6, 2018 11:13am +01:00
• IETF 103 OAuth Meeting

  Nov

  6

  November 6, 2018 at 11:20am UTC+7

  #oauth

  permalink
• IETF 103 OAuth Meeting

  Nov

  5

  November 5, 2018 at 9:00am UTC+7

  #oauth

  permalink