Aaron Parecki

#oauth2

• 

  Hi, I'm Aaron Parecki. I write about OAuth here, and I give talks about OAuth 2.0. Below you'll find my recent posts about various OAuth-related things, including talks I'm giving. I've also written two community resources about OAuth:

  OAuth 2.0 Simplified is a guide to OAuth 2.0 focused on writing clients that gives a clear overview of the spec at an introductory level.

  In 2017, I published a longer version of this guide as a book, available on oauth.com as well as a print version. The book guides you through building an OAuth server, and covers many details that are not part of the spec. I published this book in conjunction with Okta.

  Portland, Oregon

  Sat, Feb 4, 2017 11:35am -08:00 #oauth #oauth2

• Nate Barbettini https://www.recaffeinate.co/

  Solid info from @aaronpk on how the #oauth2 authorization code grant type works https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type

  Portland, Oregon • 55°F

  Tue, Apr 10, 2018 10:32am -07:00 (liked on Tue, Apr 10, 2018 10:32am -07:00) #oauth2
• OAuth 2.0 Simplified Subscribers

  OAuth 2.0 Simplified Is Now Available On Kindle!

  

  OAuth 2.0 Simplified is now available on Kindle!

  continue reading...

  8 likes 3 reposts 1 mention

  Tue, Jan 9, 2018 9:30am -08:00 #oauth2simplified #oauth2 #kindle #oauth
• PLUG: OAuth 2.0 Simplified

  Dec

  7

  December 7, 2017 7:00pm (-0800)

  PSU

  Portland, Oregon

  Portland Linux/Unix Group

  View Slides

  1 mention

  permalink #oauth #oauth2
• 

  I'm giving a short talk tonight about OAuth 2.0 at the @pdxlinux meetup! 7pm at PSU: http://pdxlinux.org

  Portland, Oregon, USA

  1 like

  Thu, Dec 7, 2017 5:00pm -08:00 #oauth #plug #oauth2

• Announcing the IndieAuth Spec!

  It's been a long time coming, but I've finally published a proper IndieAuth spec!

  continue reading...

  2 likes 1 reply 3 mentions

  Tue, Dec 5, 2017 12:30pm -08:00 #indieweb #indiewebchallenge #indieauth #oauth2 #oauth
• 

  It's taken longer than I would have liked, but my book "OAuth 2.0 Simplified" is finally available! https://oauth2simplified.com
  
  We did a pre-launch at Okta's conference in Las Vegas in August, and it's taken a bit longer to sort out the details of actually listing it for sale. It's available for purchase right now at the website, and will be visible on Amazon.com in 6-8 weeks.
  
  Next I'm working out the logistics of publishing an ePub/Kindle version, which it turns out is not just pushing the "ebook" button. This has been a fascinating process to learn about!

  Portland, Oregon, USA

  32 likes 6 replies

  Tue, Oct 17, 2017 2:22pm -07:00 #oauth #oauth2
• 

  Super happy to announce that my book "OAuth 2.0 Simplified" is now available! https://oauth2simplified.com

  Portland, Oregon, USA

  94 likes 35 reposts 6 replies 5 mentions

  Tue, Oct 17, 2017 1:51pm -07:00 #oauth #oauth2
• OAuth 2.0 Debugger (oauthdebugger.com)

  

  Thu, Oct 12, 2017 9:10pm -07:00 #oauth #oauth2 #resources #okta
• 

  If you're at #oktane17 grab a free copy of my book at the Okta store! They're already flying off the shelves :-) #oauth2simplified

  

  ARIA Convention Center in Las Vegas, Nevada, USA

  10 likes 2 replies

  Tue, Aug 29, 2017 11:20am -07:00 #oktane17 #oauth2simplified #oauth #okta #oauth2
• 

  ✈️ to #oktane17! I'll have some prerelease copies of my book to give away! Or sign up at https://oauth2simplified.com to know when it's released!

  

  Portland, Oregon, USA

  5 likes 1 repost 3 replies

  Sun, Aug 27, 2017 1:42pm -07:00 #oauth2 #oktane17
• 

  Great example of why the character set for the @OAuth_2 Device Flow should be limited. The spec suggests only consonants #oauth #oauth2 #HBO

  

  Portland, Oregon, USA

  5 likes 3 reposts 1 reply

  Thu, Aug 24, 2017 10:59am -07:00 #oauth #oauth2 #HBO
• 

  It's real now! Here's a sneak peek of the cover of my new book "OAuth 2.0 Simplified", released at the end of this month! #oauth #oauth2

  

  Portland, Oregon

  62 likes 27 replies

  Wed, Aug 16, 2017 6:04pm -07:00 #oauth #oauth2
• https://mailarchive.ietf.org/arch/msg/oauth/h0ivzMZBHjXGi6HqcB0LYdR4skw

  OAuth Working Group
  

  I've seen this done a few ways:
  
  • The Device Flow: https://tools.ietf.org/html/draft-ietf-oauth-device-flow which is what you see on browserless devices like the Apple TV logging in to a cable provider from your phone. A short code is generated and displayed on the screen, you launch a browser on your phone and enter the code. This would work just as well from the command line on the same device.
  • I've also seen apps use the authorization flow, by displaying the authorization URL on the command line prompt and instructing the user to open it in a browser. The redirect URI is a hosted web page that displays the authorization code and instructs the user to paste it back at the terminal.
  • The command line app can launch an HTTP server on localhost and use that as the redirect URL for the authorization code flow. This option ends up being the most seamless since it works like a traditional flow without any special instructions to the user.

  Portland, Oregon, USA

  Sun, Jun 11, 2017 8:59pm -07:00 #oauth #oauth2
• Patrick Schaller http://F3Development.com   •   May 4

  Sorry, I meant I'm being told the URL can't be visible and they are holding up other mobile apps login as examples that do not show it.
  

  @rogue__leader Yeah sorry, 140 chars isn't enough 😭
  
  Before SFSafariView, the only way to securely do OAuth was to launch the native Safari browser. This meant you'd get bounced out of the app, which a lot of developers didn't want to do to their users. I don't disagree that this was a bad experience, and plenty of people feel the same.
  
  What ended up happening is people instead started embedding the WebView into their apps, in order to avoid having their users bounce out of the app and come back. The compromise in this case is that people would have to type their password to log in, because the embedded WebView doesn't share cookies with the system browser.
  
  It took Apple a long time to roll out SFSafariView, so there are just a lot of apps out there that still have the embedded WebView.
  
  Advantages of WebView:
  • Does not make the user leave the app to complete the OAuth flow
  
  Problems with WebView:
  • User has no way to verify they are on the real website, so phishing attacks are undetectable
  • Does not share system cookies, so users have to type their password every time
  
  Advantages of SFSafariView:
  • Does not make the user leave the app to complete the OAuth flow
  • The user can see the address bar so can verify they're on the correct website
  • Shares system cookies, so the user won't have to type their password if they've already signed in using the native Safari app
  
  I should probably turn this into a proper blog post.

  Portland, Oregon

  2 replies

  Thu, May 4, 2017 10:47am -07:00 #oauth2
• Patrick Schaller http://F3Development.com   •   May 4

  @aaronpk I was just reading your article https://goo.gl/IF9r2O which was helpful. Is using SafariViewController the only safe auth on iOS?
  

  @rogue__leader Thanks! That, or launching Safari or the service's native application. SafariViewController will provide the best UX.

  Portland, Oregon

  4 replies

  Thu, May 4, 2017 10:13am -07:00 #oauth2
• Bryan Stearns ‽ http://selfamusementpark.com/   •   Apr 6

  Got frustated trying to find OAuth2 docs that made sense to me; found @aaronpk's https://www.oauth.com/ and now it's clear! Thanks, Aaron!
  

  @bryanstearns Awesome! Glad it's been helpful!

  Portland, Oregon, USA

  Thu, Apr 6, 2017 5:01pm -07:00 #oauth2

• Day 86: Updating IndieAuth Docs #100DaysOfIndieWeb

  Beginning a slow project of updating the docs about the IndieAuth spec, today I started by updating a few pages on the wiki. Right now, most of the docs about IndieAuth (the spec), and how to use it, live across a variety of pages on the wiki, grouped together at https://indieweb.org/Category:IndieAuth.

  continue reading...

  1 like 1 reply 2 mentions

  Thu, Mar 16, 2017 5:22pm -07:00 #100daysofindieweb #micropub #indieauth #oauth2
• Uber Developers (developer.uber.com)

  "OAuth 2.0 is a specification outlined in RFC 6749 that allows third-party services to make requests on behalf of a user without accessing passwords and other sensitive information. If you are unfamiliar with OAuth 2.0, check out Aaron Parecki's "OAuth 2 Simplified"."

  

  Fri, Nov 11, 2016 9:23pm -08:00 #inthewild #press #oauth2
• Jared Hanson https://twitter.com/jaredhanson   •   Oct 1

  There's an existing "oauth2-token" link rel which would be nice to use instead of "token_endpoint" https://tools.ietf.org/html/draft-wmills-oauth-lrdd-07#section-3.2
  

  @jaredhanson oh funny! I got token_endpoint from OpenID Connect: http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata I will take a look at the OAuth 2 link rels tho.

  Portland, Oregon, USA

  Sat, Oct 1, 2016 7:14am -07:00 #oauth2 #webmention #oauth
• 

  Happy to announce https://oauth.com - a guide to building OAuth 2.0 servers! #oktane16

  

  Las Vegas, Nevada, USA

  33 likes 22 reposts 2 replies 3 mentions

  Tue, Aug 30, 2016 10:01am -07:00 #oktane16 #oauth #oauth2