Aaron Parecki

#oauth

• OAuth

  Sat, Feb 4, 2017 11:35am -08:00

  

  Hi, I'm Aaron Parecki. I write about OAuth here, and provide OAuth 2.0 consulting services. Below you'll find my recent posts about various OAuth-related things. I've also written two community resources about OAuth:

  OAuth 2.0 Simplified is a guide to OAuth 2.0 focused on writing clients that gives a clear overview of the spec at an introductory level.

  In 2017, I published a longer version of this guide as a book, available on oauth.com as well as a print version. The book guides you through building an OAuth server, and covers many details that are not part of the spec. I published this book in conjunction with Okta.

  Portland, Oregon

  #oauth #oauth2

  Sat, Feb 4, 2017 11:35am -08:00

• It's taken longer than I would have liked, but my book "OAuth 2.0 Simplified" is finally available! https://oauth2simplified.com We did a pre-launch at Okta's conference in Las Vegas in August, and it's taken a bit longer to sort out the details of actually listing it for sale. It's available for purchase right now at the website, and will be visible on Amazon.com in 6-8 weeks. Next I'm working out the logistics of publishing an ePub/Kindle version, which it turns out is not just pushing the "ebook" button. This has been a fascinating process to learn about!

  Portland, Oregon, USA

  32 likes 6 replies

  #oauth #oauth2

  Tue, Oct 17, 2017 2:22pm -07:00
• Super happy to announce that my book "OAuth 2.0 Simplified" is now available! https://oauth2simplified.com

  Portland, Oregon, USA

  87 likes 32 reposts 6 replies 5 mentions

  #oauth #oauth2

  Tue, Oct 17, 2017 1:51pm -07:00
• San Francisco (SFO) to Portland (PDX)

  October 13, 2017 from 6:55pm to 8:33pm (-0700)

  Alaska Flight 223

  

  Portland, Oregon

  #okta #oauth

  permalink
• OAuth 2.0 Debugger (oauthdebugger.com)

  

  San Francisco, California

  #oauth #oauth2 #resources #okta

  Thu, Oct 12, 2017 9:10pm -07:00
• Portland (PDX) to San Francisco (SFO)

  October 12, 2017 from 6:40am to 8:22am (-0700)

  Virgin America Flight 1022

  

  Portland, Oregon

  #okta #oauth

  permalink
• pdxdevops https://twitter.com/pdxdevops   •   Sep 27

  We're seeking speakers for Oct 25th! Can be a talk you've done elsewhere. Don't be shy!
  @pdxdevops I'd be happy to give a talk on OAuth 2! Based on my book and blog post https://aaronparecki.com/oauth-2-simplified/ https://oauth2simplified.com

  Portland, Oregon, USA

  1 reply

  #oauth

  Wed, Oct 4, 2017 1:42pm -07:00
• Las Vegas (LAS) to Portland (PDX)

  August 31, 2017 from 10:30am to 12:39pm (-0700)

  Alaska Flight 627

  

  Portland, Oregon

  #oktane #oauth

  permalink
• Oktane 2017

  Aug

  28

  Aug

  29

  Aug

  30

  August 28, 2017 at 5:30pm UTC-7

  Aria Resort

  Las Vegas, NV

  #okta #oktane #oauth #oktane17

  permalink
• They're here! You can pick up my book at the developer lounge or in the expo hall at #oktane17 https://oauth2simplified.com

  

  Las Vegas, Nevada, USA

  27 likes 8 reposts 2 replies

  #oauth #oktane17

  Mon, Aug 28, 2017 5:08pm -07:00
• Portland (PDX) to Seattle (SEA)

  August 27, 2017 from 2:15pm to 3:14pm (-0700)

  Alaska Flight 3473

  Seattle (SEA) to Las Vegas (LAS)

  August 27, 2017 from 4:00pm to 6:21pm (-0700)

  Alaska Flight 684

  

  Portland, Oregon

  #oktane #oauth

  permalink
• Matthew Turland http://matthewturland.com   •   Aug 25

  I really wish banks had an equivalent of OAuth. I now have to wait 7-14 business days (excluding holidays) for a replacement debit card.
  @elazar for real. I still can't believe I'm expected to enter my bank credentials and security questions in third party apps too #oauth

  Portland, Oregon, USA

  1 reply

  #oauth

  Fri, Aug 25, 2017 10:06am -07:00
• Ever find yourself confused about #OAuth? My new book "OAuth 2.0 Simplified" will be released next month! https://oauth2simplified.com

  

  Portland, Oregon, USA

  20 likes 8 reposts

  #oauth #oktane #oktane17

  Fri, Aug 25, 2017 9:55am -07:00
• Ever find yourself confused about #OAuth? My new book "OAuth 2.0 Simplified" will be released next month! https://oauth2simplified.com

  Portland, Oregon, USA

  #oauth #oktane #oktane17 #OAuth

  Fri, Aug 25, 2017 9:52am -07:00
• Great example of why the character set for the @OAuth_2 Device Flow should be limited. The spec suggests only consonants #oauth #oauth2 #HBO

  

  Portland, Oregon, USA

  5 likes 3 reposts 1 reply

  #oauth #oauth2 #HBO

  Thu, Aug 24, 2017 10:59am -07:00
• It's real now! Here's a sneak peek of the cover of my new book "OAuth 2.0 Simplified", released at the end of this month! #oauth #oauth2

  

  Portland, Oregon

  62 likes 27 replies

  #oauth #oauth2

  Wed, Aug 16, 2017 6:04pm -07:00
• Impact of iOS 11 no longer providing shared cookies between Safari, Safari View Controller instances · Issue #120 · openid/AppAuth-iOS (github.com)

  

  Portland, Oregon

  #ios #ios11 #oauth

  Fri, Jul 28, 2017 12:46pm -07:00
• https://mailarchive.ietf.org/arch/msg/oauth/h0ivzMZBHjXGi6HqcB0LYdR4skw

  OAuth Working Group
  I've seen this done a few ways: • The Device Flow: https://tools.ietf.org/html/draft-ietf-oauth-device-flow which is what you see on browserless devices like the Apple TV logging in to a cable provider from your phone. A short code is generated and displayed on the screen, you launch a browser on your phone and enter the code. This would work just as well from the command line on the same device. • I've also seen apps use the authorization flow, by displaying the authorization URL on the command line prompt and instructing the user to open it in a browser. The redirect URI is a hosted web page that displays the authorization code and instructs the user to paste it back at the terminal. • The command line app can launch an HTTP server on localhost and use that as the redirect URL for the authorization code flow. This option ends up being the most seamless since it works like a traditional flow without any special instructions to the user.

  Portland, Oregon, USA

  #oauth #oauth2

  Sun, Jun 11, 2017 8:59pm -07:00
• Google Docs phishing attack underscores OAuth security risks | ITworld (www.itworld.com)

  

  Portland, Oregon

  #oauth #press #inthewild

  Fri, May 5, 2017 12:04pm -07:00

• Day 59: Updated the Logo on IndieAuth.com's GitHub Login #100DaysOfIndieWeb

  Fri, Feb 17, 2017 8:56pm -08:00

  This evening, Tantek pointed out to me that while he was logging in to the wiki via IndieAuth.com for the first time on a new computer, there was something a little strange about the IndieAuth.com flow...

  

  Here's the screenshot of what he saw:

  

  I definitely agree this is somewhat disconcerting. So here's what I did to fix it.

  I first didn't realize that if you don't upload an application icon to GitHub when you create an application, it will use the profile photo of the user who created the application for the OAuth screen. I guess I should have remembered this, since I included a screenshot of GitHub's OAuth screen in the User Interface chapter of my OAuth book.

  I first assumed that I would have to transfer the ownership the application to an organization that has the logo I wanted to appear. I did that, and encountered a strange message on GitHub when I moved the application from my aaronpk account to the new IndieAuth organization.

  

  I have absolutely no idea what this message is trying to tell me. I reported my confusion to a friend who works at GitHub, so we'll see if they fix that soon.

  Afterwards, I then realized I didn't in fact need to transfer the ownership of the application, and could just upload an application icon instead. Much easier!

  So I uploaded a logo to GitHub, and also changed the name of the application from "IndieAuth" to "IndieAuth.com". This is part of my long-standing regret of naming this service IndieAuth, since it's also now a protocol that anyone can implement and is not actually tied to me running this service. I wish I could change the name of this service, but too many people are referencing indieauth.com in their code now, especially since it's one of the few remaining OpenID providers left.

  

  I tried adding a description of the application, hoping that it would appear on the GitHub OAuth screen, but sadly it did not! (I also reported that to GitHub, so I'll find out soon if it's a bug or if I'm misunderstanding their help text.)

  After all that, the end result is that now when you sign in to something using IndieAuth.com with your GitHub account for the first time, you no longer see my face!

  

  Hopefully this is much less shocking for people who are using this! I'm not a huge fan of the logo, although I do like the "clever" shape of the "A" with the negative space forming the "i". Maybe I just need to drop the outline. Perhaps that will be a future #100days project!

  Portland, Oregon

  1 like 1 mention

  #100daysofindieweb #indieauth.com #oauth

  Fri, Feb 17, 2017 8:56pm -08:00
• When I see an access token that begins with "eyJ", I base64-decode the middle part to see what data they store in it. #oauth #jwt #security

  

  Portland, Oregon, USA

  14 likes 3 reposts 1 reply

  #oauth #jwt #security

  Tue, Jan 31, 2017 8:09am -08:00