Aaron Parecki

#oauth2

• OAuth

  Sat, Feb 4, 2017 11:35am -08:00

  

  Hi, I'm Aaron Parecki. I write about OAuth here, and provide OAuth 2.0 consulting services. Below you'll find my recent posts about various OAuth-related things. I've also written two community resources about OAuth:

  OAuth 2.0 Simplified is a guide to OAuth 2.0 focused on writing clients that gives a clear overview of the spec at an introductory level.

  In 2017, I published a longer version of this guide as a book, available on oauth.com as well as a print version. The book guides you through building an OAuth server, and covers many details that are not part of the spec. I published this book in conjunction with Okta.

  Portland, Oregon

  #oauth #oauth2

  Sat, Feb 4, 2017 11:35am -08:00

• OktaDev http://developer.okta.com

  This post by @aaronpk breaks down the #oauth2 Authorization Code grant type step by step: https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type

  Portland, Oregon • 55°F

  #oauth2

  Tue, Apr 10, 2018 10:40am -07:00 (liked on Tue, Apr 10, 2018 10:41am -07:00)
• I wrote some words about the #oauth2 Authorization Code grant type! https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type

  Portland, Oregon • 55°F

  #oauth2

  Tue, Apr 10, 2018 10:37am -07:00
• Nate Barbettini https://www.recaffeinate.co/

  Solid info from @aaronpk on how the #oauth2 authorization code grant type works https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type

  Portland, Oregon • 55°F

  #oauth2

  Tue, Apr 10, 2018 10:32am -07:00 (liked on Tue, Apr 10, 2018 10:32am -07:00)
• OAuth 2.0 Simplified Subscribers

  OAuth 2.0 Simplified Is Now Available On Kindle!

  Tue, Jan 9, 2018 9:30am -08:00

  

  OAuth 2.0 Simplified is now available on Kindle!

  I know you've been waiting for the Kindle version, and I'm happy to say it's finally available!

  Buy for Kindle

  While the ePub and PDF have been available for a while, it took a bit more work than I initially thought to prepare the Kindle version.

  This version is formatted specifically for Kindle, so that you can browse the table of contents properly, as well as highlight and share sections of the content.

  

  Of course, if the Kindle isn't your thing, you can always get the PDF or ePub versions as well! The print edition is also available on Amazon now!

  Portland, Oregon • 42°F

  8 likes 3 reposts 1 mention

  #oauth2simplified #oauth2 #kindle

  Tue, Jan 9, 2018 9:30am -08:00
• PLUG: OAuth 2.0 Simplified

  Dec

  7

  December 7, 2017 at 7:00pm UTC-8

  PSU

  Portland, Oregon

  Portland Linux/Unix Group

  View Slides

  1 mention

  #oauth #oauth2

  permalink
• I'm giving a short talk tonight about OAuth 2.0 at the @pdxlinux meetup! 7pm at PSU: http://pdxlinux.org

  Portland, Oregon, USA

  1 like

  #oauth #plug #oauth2

  Thu, Dec 7, 2017 5:00pm -08:00

• Announcing the IndieAuth Spec!

  Tue, Dec 5, 2017 12:30pm -08:00

  It's been a long time coming, but I've finally published a proper IndieAuth spec!

  IndieAuth has been around for years, and is even referenced by the Micropub spec. But until now, there wasn't a canonical version of the spec all in one place. Previously it existed as a series of how-to guides on the IndieWeb wiki. Arguably it's actually more useful that way, since the whole point of specs is to communicate a consistent way of implementing something. But it did make it awkward to refer to it formally.

  So I'm happy to say that there is finally a spec for IndieAuth, at https://indieauth.net/spec/

  This document captures the current state of what has been implemented, and incorporates much of the feedback we've gathered over the years. Most of the document is split up into authentication and authorization sections, for when you are trying to just identify users for sign-in in vs when a Micropub client is trying to get an access token to post to the user's site. Formally it's an extension to OAuth 2.0, and makes several decisions that were left un-specified in the OAuth 2.0 core spec.

  If you've implemented any part of this spec, or are thinking about it, I'd appreciate any feedback! Feel free to comment on this post, file an issue on GitHub, or drop a note in the IndieWeb chat!

  Portland, Oregon

  2 likes 1 reply 2 mentions

  #indieweb #indiewebchallenge #indieauth #oauth2 #oauth

  Tue, Dec 5, 2017 12:30pm -08:00
• It's taken longer than I would have liked, but my book "OAuth 2.0 Simplified" is finally available! https://oauth2simplified.com
  
  We did a pre-launch at Okta's conference in Las Vegas in August, and it's taken a bit longer to sort out the details of actually listing it for sale. It's available for purchase right now at the website, and will be visible on Amazon.com in 6-8 weeks.
  
  Next I'm working out the logistics of publishing an ePub/Kindle version, which it turns out is not just pushing the "ebook" button. This has been a fascinating process to learn about!

  Portland, Oregon, USA

  32 likes 6 replies

  #oauth #oauth2

  Tue, Oct 17, 2017 2:22pm -07:00
• Super happy to announce that my book "OAuth 2.0 Simplified" is now available! https://oauth2simplified.com

  Portland, Oregon, USA

  94 likes 35 reposts 6 replies 5 mentions

  #oauth #oauth2

  Tue, Oct 17, 2017 1:51pm -07:00
• OAuth 2.0 Debugger (oauthdebugger.com)

  

  San Francisco, California

  #oauth #oauth2 #resources #okta

  Thu, Oct 12, 2017 9:10pm -07:00
• ✈️ to #oktane17! I'll have some prerelease copies of my book to give away! Or sign up at https://oauth2simplified.com to know when it's released!

  

  Portland, Oregon, USA

  5 likes 1 repost 3 replies

  #oauth2 #oktane17

  Sun, Aug 27, 2017 1:42pm -07:00
• Great example of why the character set for the @OAuth_2 Device Flow should be limited. The spec suggests only consonants #oauth #oauth2 #HBO

  

  Portland, Oregon, USA

  5 likes 3 reposts 1 reply

  #oauth #oauth2 #HBO

  Thu, Aug 24, 2017 10:59am -07:00
• It's real now! Here's a sneak peek of the cover of my new book "OAuth 2.0 Simplified", released at the end of this month! #oauth #oauth2

  

  Portland, Oregon

  62 likes 27 replies

  #oauth #oauth2

  Wed, Aug 16, 2017 6:04pm -07:00
• https://mailarchive.ietf.org/arch/msg/oauth/h0ivzMZBHjXGi6HqcB0LYdR4skw

  OAuth Working Group
  I've seen this done a few ways:
  
  • The Device Flow: https://tools.ietf.org/html/draft-ietf-oauth-device-flow which is what you see on browserless devices like the Apple TV logging in to a cable provider from your phone. A short code is generated and displayed on the screen, you launch a browser on your phone and enter the code. This would work just as well from the command line on the same device.
  • I've also seen apps use the authorization flow, by displaying the authorization URL on the command line prompt and instructing the user to open it in a browser. The redirect URI is a hosted web page that displays the authorization code and instructs the user to paste it back at the terminal.
  • The command line app can launch an HTTP server on localhost and use that as the redirect URL for the authorization code flow. This option ends up being the most seamless since it works like a traditional flow without any special instructions to the user.

  Portland, Oregon, USA

  #oauth #oauth2

  Sun, Jun 11, 2017 8:59pm -07:00
• Patrick Schaller http://F3Development.com   •   May 4

  Sorry, I meant I'm being told the URL can't be visible and they are holding up other mobile apps login as examples that do not show it.
  @rogue__leader Yeah sorry, 140 chars isn't enough 😭
  
  Before SFSafariView, the only way to securely do OAuth was to launch the native Safari browser. This meant you'd get bounced out of the app, which a lot of developers didn't want to do to their users. I don't disagree that this was a bad experience, and plenty of people feel the same.
  
  What ended up happening is people instead started embedding the WebView into their apps, in order to avoid having their users bounce out of the app and come back. The compromise in this case is that people would have to type their password to log in, because the embedded WebView doesn't share cookies with the system browser.
  
  It took Apple a long time to roll out SFSafariView, so there are just a lot of apps out there that still have the embedded WebView.
  
  Advantages of WebView:
  • Does not make the user leave the app to complete the OAuth flow
  
  Problems with WebView:
  • User has no way to verify they are on the real website, so phishing attacks are undetectable
  • Does not share system cookies, so users have to type their password every time
  
  Advantages of SFSafariView:
  • Does not make the user leave the app to complete the OAuth flow
  • The user can see the address bar so can verify they're on the correct website
  • Shares system cookies, so the user won't have to type their password if they've already signed in using the native Safari app
  
  I should probably turn this into a proper blog post.

  Portland, Oregon

  2 replies

  #oauth2

  Thu, May 4, 2017 10:47am -07:00
• Patrick Schaller http://F3Development.com   •   May 4

  @aaronpk I was just reading your article https://goo.gl/IF9r2O which was helpful. Is using SafariViewController the only safe auth on iOS?
  @rogue__leader Thanks! That, or launching Safari or the service's native application. SafariViewController will provide the best UX.

  Portland, Oregon

  4 replies

  #oauth2

  Thu, May 4, 2017 10:13am -07:00
• Bryan Stearns ‽ http://selfamusementpark.com/   •   Apr 6

  Got frustated trying to find OAuth2 docs that made sense to me; found @aaronpk's https://www.oauth.com/ and now it's clear! Thanks, Aaron!
  @bryanstearns Awesome! Glad it's been helpful!

  Portland, Oregon, USA

  #oauth2

  Thu, Apr 6, 2017 5:01pm -07:00

• Day 86: Updating IndieAuth Docs #100DaysOfIndieWeb

  Thu, Mar 16, 2017 5:22pm -07:00

  Beginning a slow project of updating the docs about the IndieAuth spec, today I started by updating a few pages on the wiki. Right now, most of the docs about IndieAuth (the spec), and how to use it, live across a variety of pages on the wiki, grouped together at https://indieweb.org/Category:IndieAuth.

  My goal with the spec IndieAuth is to make it an extension of the OAuth 2.0 spec. It has always been based off of the OAuth 2.0 spec, but I've never written it up properly as an extension. It's always been just a series of how-to guides. Additionally, I had originally started by specifying all of the responses being form-encoded responses, whereas the OAuth 2.0 spec says all responses must be JSON format. I've been slowly converting my various apps that use IndieAuth to support both, based on the HTTP Accept header, although I haven't publicized this much yet.

  Today's project was updating the existing IndieAuth documentation on the wiki to explicitly include the JSON versions as a valid response format.

  

  Eventually I hope to write up IndieAuth as a formal extension to OAuth 2.0, in the same format that something like the Device Flow is an extension.

  Portland, Oregon

  1 like 1 reply 2 mentions

  #100daysofindieweb #micropub #indieauth #oauth2

  Thu, Mar 16, 2017 5:22pm -07:00
• Uber Developers (developer.uber.com)

  "OAuth 2.0 is a specification outlined in RFC 6749 that allows third-party services to make requests on behalf of a user without accessing passwords and other sensitive information. If you are unfamiliar with OAuth 2.0, check out Aaron Parecki's "OAuth 2 Simplified"."

  

  Portland, Oregon

  #inthewild #press #oauth2

  Fri, Nov 11, 2016 9:23pm -08:00
• https://twitter.com/jaredhanson/status/782078137588789248
  @jaredhanson oh funny! I got token_endpoint from OpenID Connect: http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata I will take a look at the OAuth 2 link rels tho.

  Portland, Oregon, USA

  #oauth2 #webmention #oauth

  Sat, Oct 1, 2016 7:14am -07:00