Aaron Parecki

#oauth2

• OAuth

  Sat, Feb 4, 2017 11:35am -08:00

  

  Hi, I'm Aaron Parecki. I write about OAuth here, and I give talks about OAuth 2.0. Below you'll find my recent posts about various OAuth-related things, including talks I'm giving. I've also written two community resources about OAuth:

  OAuth 2.0 Simplified is a guide to OAuth 2.0 focused on writing clients that gives a clear overview of the spec at an introductory level.

  In 2017, I published a longer version of this guide as a book, available on oauth.com as well as a print version. The book guides you through building an OAuth server, and covers many details that are not part of the spec. I published this book in conjunction with Okta.

  Portland, Oregon

  #oauth #oauth2

  Sat, Feb 4, 2017 11:35am -08:00

• Slides and video from my @OAuth_2 talk at #cloudnativepdx last night are posted! https://speakerdeck.com/aaronpk/oauth-all-the-things-an-introduction-to-oauth https://www.youtube.com/watch?v=wA4kqKFua2Q

  Portland, Oregon, USA • 66°F

  14 likes 8 reposts

  #oauth #oauth2 #cloudnativepdx

  Thu, Jun 21, 2018 2:16pm -07:00
• I've been getting a lot of questions about the @OAuth_2 Implicit Grant Type, so I wrote up some details on it here: https://developer.okta.com/blog/2018/05/24/what-is-the-oauth2-implicit-grant-type #oauth

  Portland, Oregon • 63°F

  2 likes 2 reposts

  #oauth #oauth2

  Fri, May 25, 2018 11:35am -07:00
• I'm going to be hosting a workshop on @OAuth_2 this fall in Nürnberg, Germany! 🔐 Only 15 spots available, so sign up now! https://colloq.io/events/tollwerkstatt-workshops/2018/nurnberg/2

  Portland, Oregon • 65°F

  3 likes 4 reposts

  #oauth2

  Fri, Apr 27, 2018 10:26am -07:00
• Adam Lewis https://twitter.com/lewiada   •   Apr 24

  We do implement native apps per RFC8252 including code flow, custom tabs and PKCE, and we use OIDC for authentication to web apps. But doing ua-based-apps / SPAs right is ambiguous at best and I keep hoping for the @oauth_2 WG to begin work on an ua-based client BCP.
  BCP for public UA clients:
  
  • use the authorization code flow
  • omit client secret
  • strict redirect URI validation
  
  Some citations and more info: https://aaronparecki.com/oauth-2-simplified/#single-page-apps

  Portland, Oregon • 71°F

  3 likes 1 repost 6 replies

  #oauth2

  Tue, Apr 24, 2018 10:57am -07:00
• OktaDev http://developer.okta.com

  This post by @aaronpk breaks down the #oauth2 Authorization Code grant type step by step: https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type

  Portland, Oregon • 55°F

  #oauth2

  Tue, Apr 10, 2018 10:40am -07:00 (liked on Tue, Apr 10, 2018 10:41am -07:00)
• I wrote some words about the #oauth2 Authorization Code grant type! https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type

  Portland, Oregon • 55°F

  #oauth2

  Tue, Apr 10, 2018 10:37am -07:00
• Nate Barbettini https://www.recaffeinate.co/

  Solid info from @aaronpk on how the #oauth2 authorization code grant type works https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type

  Portland, Oregon • 55°F

  #oauth2

  Tue, Apr 10, 2018 10:32am -07:00 (liked on Tue, Apr 10, 2018 10:32am -07:00)
• OAuth 2.0 Simplified Subscribers

  OAuth 2.0 Simplified Is Now Available On Kindle!

  Tue, Jan 9, 2018 9:30am -08:00

  

  OAuth 2.0 Simplified is now available on Kindle!

  I know you've been waiting for the Kindle version, and I'm happy to say it's finally available!

  Buy for Kindle

  While the ePub and PDF have been available for a while, it took a bit more work than I initially thought to prepare the Kindle version.

  This version is formatted specifically for Kindle, so that you can browse the table of contents properly, as well as highlight and share sections of the content.

  

  Of course, if the Kindle isn't your thing, you can always get the PDF or ePub versions as well! The print edition is also available on Amazon now!

  Portland, Oregon • 42°F

  8 likes 3 reposts 1 mention

  #oauth2simplified #oauth2 #kindle

  Tue, Jan 9, 2018 9:30am -08:00
• PLUG: OAuth 2.0 Simplified

  Dec

  7

  December 7, 2017 at 7:00pm UTC-8

  PSU

  Portland, Oregon

  Portland Linux/Unix Group

  View Slides

  1 mention

  #oauth #oauth2

  permalink
• I'm giving a short talk tonight about OAuth 2.0 at the @pdxlinux meetup! 7pm at PSU: http://pdxlinux.org

  Portland, Oregon, USA

  1 like

  #oauth #plug #oauth2

  Thu, Dec 7, 2017 5:00pm -08:00

• Announcing the IndieAuth Spec!

  Tue, Dec 5, 2017 12:30pm -08:00

  It's been a long time coming, but I've finally published a proper IndieAuth spec!

  IndieAuth has been around for years, and is even referenced by the Micropub spec. But until now, there wasn't a canonical version of the spec all in one place. Previously it existed as a series of how-to guides on the IndieWeb wiki. Arguably it's actually more useful that way, since the whole point of specs is to communicate a consistent way of implementing something. But it did make it awkward to refer to it formally.

  So I'm happy to say that there is finally a spec for IndieAuth, at https://indieauth.net/spec/

  This document captures the current state of what has been implemented, and incorporates much of the feedback we've gathered over the years. Most of the document is split up into authentication and authorization sections, for when you are trying to just identify users for sign-in in vs when a Micropub client is trying to get an access token to post to the user's site. Formally it's an extension to OAuth 2.0, and makes several decisions that were left un-specified in the OAuth 2.0 core spec.

  If you've implemented any part of this spec, or are thinking about it, I'd appreciate any feedback! Feel free to comment on this post, file an issue on GitHub, or drop a note in the IndieWeb chat!

  Portland, Oregon

  2 likes 1 reply 2 mentions

  #indieweb #indiewebchallenge #indieauth #oauth2 #oauth

  Tue, Dec 5, 2017 12:30pm -08:00
• It's taken longer than I would have liked, but my book "OAuth 2.0 Simplified" is finally available! https://oauth2simplified.com
  
  We did a pre-launch at Okta's conference in Las Vegas in August, and it's taken a bit longer to sort out the details of actually listing it for sale. It's available for purchase right now at the website, and will be visible on Amazon.com in 6-8 weeks.
  
  Next I'm working out the logistics of publishing an ePub/Kindle version, which it turns out is not just pushing the "ebook" button. This has been a fascinating process to learn about!

  Portland, Oregon, USA

  32 likes 6 replies

  #oauth #oauth2

  Tue, Oct 17, 2017 2:22pm -07:00
• Super happy to announce that my book "OAuth 2.0 Simplified" is now available! https://oauth2simplified.com

  Portland, Oregon, USA

  94 likes 35 reposts 6 replies 5 mentions

  #oauth #oauth2

  Tue, Oct 17, 2017 1:51pm -07:00
• OAuth 2.0 Debugger (oauthdebugger.com)

  

  San Francisco, California

  #oauth #oauth2 #resources #okta

  Thu, Oct 12, 2017 9:10pm -07:00
• If you're at #oktane17 grab a free copy of my book at the Okta store! They're already flying off the shelves :-) #oauth2simplified

  

  ARIA Convention Center in Las Vegas, Nevada, USA

  10 likes 2 replies

  #oktane17 #oauth2simplified #oauth #okta #oauth2

  Tue, Aug 29, 2017 11:20am -07:00
• ✈️ to #oktane17! I'll have some prerelease copies of my book to give away! Or sign up at https://oauth2simplified.com to know when it's released!

  

  Portland, Oregon, USA

  5 likes 1 repost 3 replies

  #oauth2 #oktane17

  Sun, Aug 27, 2017 1:42pm -07:00
• Great example of why the character set for the @OAuth_2 Device Flow should be limited. The spec suggests only consonants #oauth #oauth2 #HBO

  

  Portland, Oregon, USA

  5 likes 3 reposts 1 reply

  #oauth #oauth2 #HBO

  Thu, Aug 24, 2017 10:59am -07:00
• It's real now! Here's a sneak peek of the cover of my new book "OAuth 2.0 Simplified", released at the end of this month! #oauth #oauth2

  

  Portland, Oregon

  62 likes 27 replies

  #oauth #oauth2

  Wed, Aug 16, 2017 6:04pm -07:00
• https://mailarchive.ietf.org/arch/msg/oauth/h0ivzMZBHjXGi6HqcB0LYdR4skw

  OAuth Working Group
  I've seen this done a few ways:
  
  • The Device Flow: https://tools.ietf.org/html/draft-ietf-oauth-device-flow which is what you see on browserless devices like the Apple TV logging in to a cable provider from your phone. A short code is generated and displayed on the screen, you launch a browser on your phone and enter the code. This would work just as well from the command line on the same device.
  • I've also seen apps use the authorization flow, by displaying the authorization URL on the command line prompt and instructing the user to open it in a browser. The redirect URI is a hosted web page that displays the authorization code and instructs the user to paste it back at the terminal.
  • The command line app can launch an HTTP server on localhost and use that as the redirect URL for the authorization code flow. This option ends up being the most seamless since it works like a traditional flow without any special instructions to the user.

  Portland, Oregon, USA

  #oauth #oauth2

  Sun, Jun 11, 2017 8:59pm -07:00
• Patrick Schaller http://F3Development.com   •   May 4

  Sorry, I meant I'm being told the URL can't be visible and they are holding up other mobile apps login as examples that do not show it.
  @rogue__leader Yeah sorry, 140 chars isn't enough 😭
  
  Before SFSafariView, the only way to securely do OAuth was to launch the native Safari browser. This meant you'd get bounced out of the app, which a lot of developers didn't want to do to their users. I don't disagree that this was a bad experience, and plenty of people feel the same.
  
  What ended up happening is people instead started embedding the WebView into their apps, in order to avoid having their users bounce out of the app and come back. The compromise in this case is that people would have to type their password to log in, because the embedded WebView doesn't share cookies with the system browser.
  
  It took Apple a long time to roll out SFSafariView, so there are just a lot of apps out there that still have the embedded WebView.
  
  Advantages of WebView:
  • Does not make the user leave the app to complete the OAuth flow
  
  Problems with WebView:
  • User has no way to verify they are on the real website, so phishing attacks are undetectable
  • Does not share system cookies, so users have to type their password every time
  
  Advantages of SFSafariView:
  • Does not make the user leave the app to complete the OAuth flow
  • The user can see the address bar so can verify they're on the correct website
  • Shares system cookies, so the user won't have to type their password if they've already signed in using the native Safari app
  
  I should probably turn this into a proper blog post.

  Portland, Oregon

  2 replies

  #oauth2

  Thu, May 4, 2017 10:47am -07:00