Aaron Parecki

#oauth2

• 

  Hi, I'm Aaron Parecki. I write about OAuth here, and I give talks about OAuth 2.0. Below you'll find my recent posts about various OAuth-related things, including talks I'm giving. I've also written two community resources about OAuth:

  OAuth 2.0 Simplified is a guide to OAuth 2.0 focused on writing clients that gives a clear overview of the spec at an introductory level.

  In 2017, I published a longer version of this guide as a book, available on oauth.com as well as a print version. The book guides you through building an OAuth server, and covers many details that are not part of the spec. I published this book in conjunction with Okta.

  Portland, Oregon

  Sat, Feb 4, 2017 11:35am -08:00 #oauth #oauth2

• 

  Just launched a big reorganization of https://oauth.net which should make it easier to find things! 🔒 #oauth2 #oktane16

  Las Vegas, Nevada, USA

  7 likes 2 reposts

  Mon, Aug 29, 2016 11:44am -07:00 #oauth2 #oktane16 #oauth
• beau https://twitter.com/beaugunderson   •   Jun 21

  iOS developer friends: what is a good resource that explains the requirements for doing secure OAuth2 in an iOS app?
  

  @beaugunderson Your best best is to not use the client secret, and redirect to the app's registered protocol handler. Or dynamically generate a client secret when the app first launches (unique to each app). Sounds like this would be a good blog post.

  Portland, Oregon, USA

  1 like

  Tue, Jun 21, 2016 12:09pm -07:00 #oauth2
• Implementing OAuth 2.0 access tokens | NimbusDS Blog (nimbusds.com)

  Sat, Jul 4, 2015 12:18pm -07:00 #oauth2 #oauth
• 

  Well this is progress... an in-app browser that shows the address bar and shares system cookies

  

  Portland, Oregon, USA

  3 likes 1 repost

  Tue, Jun 9, 2015 12:10pm -07:00 #ios9 #oauth #oauth2 #ios
• Changes in iOS 9.0 (developer.apple.com)

  SFSafariViewController can be used to display web content within your app. It shares cookies and other website data with Safari, and has many of Safari's great features, such as Safari AutoFill and Safari Reader. Unlike Safari itself, the SFSafariViewController UI is tailored for displaying a single page, featuring a Done button that takes users back to where they were in your app.

  Mon, Jun 8, 2015 3:00pm -07:00 #oauth #oauth2 #ios #ios9
• Into the symmetry: Open redirect in rfc6749 aka 'The OAuth 2.0 Authorization Framework' (intothesymmetry.blogspot.ch)

  Sat, Apr 18, 2015 10:44am -07:00 #oauth2 #security
• Janrain: User management platform for the social web (rpxnow.com)

  OAuth provider guide

  Wed, Feb 11, 2015 12:13pm -08:00 #oauth #oauth2

• So you implemented an OAuth 2.0 API...

  While OAuth 2.0 is a good framework for building an API, the spec itself leaves many things un-specified, and it's up to the implementer to make a decision based on their own security requirements. As such, most OAuth 2.0 implementations are not interoperable, which is often cited as a failure of OAuth 2.0. On the other hand, the current state of OAuth 2.0 implementations is that they are often similar enough that developers don't need to learn too many new concepts when dealing with them.

  continue reading...

  19 likes 6 reposts 3 replies 5 mentions

  Thu, Jan 15, 2015 12:15pm -08:00 #oauth #oauth2 #standards #web #authentication #checklist
• [OAUTH-WG] OAuth Status (www.ietf.org)

  Mon, Jan 12, 2015 1:24pm -08:00 #oauth #oauth2
• Top 5 OAuth 2 Implementation Vulnerabilities (intothesymmetry.blogspot.ch)

  Tue, Jan 6, 2015 1:49pm -08:00 #oauth2 #security
• Into the symmetry: Beware what you click (intothesymmetry.blogspot.ch)

  Tue, Jan 6, 2015 1:49pm -08:00 #oauth2 #security #github
• OAuth 2.0 and Sign-In (www.cloudidentity.com)

  OAuth 2.0 is not a sign-in protocol. Sign-in can be implemented by augmenting OAuth, and people routinely do so...

  Sat, Jan 3, 2015 7:49pm -08:00 #oauth #oauth2 #authentication #internet
• SpoofedMe Social Login Attack Discovered by IBM X-Force Researchers (securityintelligence.com)

  Sun, Dec 7, 2014 9:36am -08:00 #oauth #security #oauth2
• 

  Continuing last weekend's documentation of all the un-specified parts of OAuth 2.0, things were going pretty well until I hit the "Security Considerations" section, which basically recommends but doesn't require a whole bunch of things. Basically this means an API can be fully OAuth 2.0 compliant and also completely insecure.
  
  If you want to know more, keep an eye out for this blog post. Or hire me as an independent OAuth consultant and I'd gladly spend a day with you.

  Portland, Oregon, USA

  14 likes 6 replies

  Sat, Nov 22, 2014 7:23pm -08:00 #oauth2 #oauth
• 

  Currently documenting all the ways the OAuth 2.0 framework leaves choices up to the implementor. The list is long. #oauth2

  Portland, Oregon, USA

  3 likes 1 repost 2 replies

  Fri, Nov 14, 2014 8:27pm -08:00 #oauth2
• Justin Richer http://bspk.io/

  The article on OAuth and Authentication that I helped write/edit is online now: http://oauth.net/articles/authentication/ (thanks to @aaronpk for publishing!)

  2 mentions

  Sun, Nov 2, 2014 11:22pm -05:00 (reposted on Sun, Nov 2, 2014 8:25pm -08:00) #oauth #oauth2
• channa ly https://twitter.com/channaly   •   Sep 3

  Really love http://www.slideshare.net/aaronpk/an-introduction-to-oauth-2 … from @aaronpk seems it is one of the best summary of #oauth2.
  

  @channaly Thanks! You might also like my written version of the talk: http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified #oauth2

  Portland, Oregon, USA

  Wed, Sep 3, 2014 9:31am -07:00 #oauth2
• OAuth meeting minutes (www.ietf.org)

  Wed, Mar 5, 2014 8:29am -08:00 #ietf #oauth #oauth2
• Using ArcGIS with OAuth 2.0

  Nov

  20

  November 20, 2013 2:30pm (+0400)

  بورسعيد, دبي, ARE

  Esri Dev Summit

  permalink #esri #devsummit #oauth2
• Esri Dev Summit Middle East and Africa

  Nov

  19

  Nov

  20

  Nov

  21

  November 19-21, 2013
  3 days

  Park Hyatt

  Dubai

  permalink #esri #devsummit #geotrigger #oauth2 #terraformer #leaflet