Aaron Parecki

#oauth

• 

  Hi, I'm Aaron Parecki. I write about OAuth here, and I give talks about OAuth 2.0. Below you'll find my recent posts about various OAuth-related things, including talks I'm giving. I've also written two community resources about OAuth:

  OAuth 2.0 Simplified is a guide to OAuth 2.0 focused on writing clients that gives a clear overview of the spec at an introductory level.

  In 2017, I published a longer version of this guide as a book, available on oauth.com as well as a print version. The book guides you through building an OAuth server, and covers many details that are not part of the spec. I published this book in conjunction with Okta.

  Portland, Oregon

  Sat, Feb 4, 2017 11:35am -08:00 #oauth #oauth2

• Kyle Mahan https://kylewm.com

  The cool thing about web APIs is how they all implement signing, especially of multipart/form-data just a little bit differently.

  Mon, Apr 13, 2015 10:51am -07:00 (liked on Mon, Apr 13, 2015 11:21am -07:00) #kvetch #oauth
• 

  @eyeficard Help! I can't connect my card to Flickr anymore! The auth screen pops up inside the app (which is bad OAuth practice) and now Yahoo rejects the request!

  

  Portland, Oregon, USA

  2 replies

  Thu, Feb 26, 2015 9:20am -08:00 #eyefi #flickr #oauth
• Janrain: User management platform for the social web (rpxnow.com)

  OAuth provider guide

  Wed, Feb 11, 2015 12:13pm -08:00 #oauth #oauth2
• 

  OAuth: better than NoAuth.

  Portland, Oregon, USA

  6 likes 2 reposts 3 replies

  Fri, Jan 30, 2015 3:20pm -08:00 #oauth

• So you implemented an OAuth 2.0 API...

  While OAuth 2.0 is a good framework for building an API, the spec itself leaves many things un-specified, and it's up to the implementer to make a decision based on their own security requirements. As such, most OAuth 2.0 implementations are not interoperable, which is often cited as a failure of OAuth 2.0. On the other hand, the current state of OAuth 2.0 implementations is that they are often similar enough that developers don't need to learn too many new concepts when dealing with them.

  continue reading...

  19 likes 6 reposts 3 replies 5 mentions

  Thu, Jan 15, 2015 12:15pm -08:00 #oauth #oauth2 #standards #web #authentication #checklist
• [OAUTH-WG] OAuth Status (www.ietf.org)

  Mon, Jan 12, 2015 1:24pm -08:00 #oauth #oauth2
• OAuth 2.0 and Sign-In (www.cloudidentity.com)

  OAuth 2.0 is not a sign-in protocol. Sign-in can be implemented by augmenting OAuth, and people routinely do so...

  Sat, Jan 3, 2015 7:49pm -08:00 #oauth #oauth2 #authentication #internet
• SpoofedMe Social Login Attack Discovered by IBM X-Force Researchers (securityintelligence.com)

  Sun, Dec 7, 2014 9:36am -08:00 #oauth #security #oauth2

• A Little Twitter Developer History

  Back in the early days of Twitter, I noticed that several tweets I was seeing showed "via _____" next to the date, which linked to the application that was used to post the tweet. I thought "hey that's a clever way to give credit to applications" and thought it would be a good way to get people to discover the Twitter app I was creating at the time.

  continue reading...

  Sun, Nov 23, 2014 4:30pm -08:00 #twitter #oauth
• 

  Continuing last weekend's documentation of all the un-specified parts of OAuth 2.0, things were going pretty well until I hit the "Security Considerations" section, which basically recommends but doesn't require a whole bunch of things. Basically this means an API can be fully OAuth 2.0 compliant and also completely insecure.
  
  If you want to know more, keep an eye out for this blog post. Or hire me as an independent OAuth consultant and I'd gladly spend a day with you.

  Portland, Oregon, USA

  14 likes 6 replies

  Sat, Nov 22, 2014 7:23pm -08:00 #oauth2 #oauth
• Justin Richer http://bspk.io/

  The article on OAuth and Authentication that I helped write/edit is online now: http://oauth.net/articles/authentication/ (thanks to @aaronpk for publishing!)

  2 mentions

  Sun, Nov 2, 2014 11:22pm -05:00 (reposted on Sun, Nov 2, 2014 8:25pm -08:00) #oauth #oauth2
• 

  Launched some updates to the documentation at http://oauth.net/documentation/ with the OAuth group tonight! Will hopefully have more improvements to the site soon! #iiw

  San Francisco, California, USA

  3 likes 1 repost

  Wed, May 7, 2014 2:18am -07:00 #iiw #oauth
• OAuth meeting minutes (www.ietf.org)

  Wed, Mar 5, 2014 8:29am -08:00 #ietf #oauth #oauth2
• Kevin Marks 🏠kevinmarks.com xoxo.zone/@KevinMarks https://twitter.com/kevinmarks   •   Feb 27

  @cdixon obligatory sixteen year old dilbert http://dilbert.com/strips/comic/1996-01-11/
  

  @kevinmarks @cdixon What we really need is OAuth for payments. Generate an authorization for a specific amount and give the authorization to the recipient.

  Portland, Oregon, USA

  3 likes 1 repost

  Wed, Feb 26, 2014 10:45pm -08:00 #oauth
• Jason Cooper https://twitter.com/JLCooper2   •   Dec 10

  @aaronpk What licence is the OAuth logo used on http://oauth.net available as? (We are wanting to use it on a poster)
  

  @JLCooper2 Feel free! The logo is released under the Creative Commons Attribution ShareAlike 3.0 license. http://creativecommons.org/licenses/by-sa/3.0/

  Portland, OR, USA

  Tue, Dec 10, 2013 2:37pm -08:00 #oauth
• Speed Geeking: An Intro to OAuth 2

  Jul

  9

  July 9, 2013 3:30pm (-0700)

  San Diego, California, USA

  Esri User Conference

  permalink #oauth #oauth2 #esri #esriuc #speedgeeking
• Speed Geeking: An Intro to OAuth 2

  Jul

  9

  July 9, 2013 3:30pm - 5:00pm (-0700)

  Esri User Conference

  San Diego, California

  1 RSVP

  permalink #esri #esriuc #speedgeeking #oauth #oauth2
• https://twitter.com/a_hershberger/status/344122172282925057
  

  @a_hershberger Yes, most implementations require the client ID and secret. At the very least you'd need to require client ID to identify the client. Of course don't send the secret if it's coming from a mobile device. #oauth2

  Redlands, CA, USA

  Mon, Jun 10, 2013 12:54pm -07:00 #oauth2 #oauth
• The State of OAuth 2

  Jan

  7

  January 7, 2013 6:30pm (-0800)

  Portland, Oregon, USA

  State of the Auth

  permalink #oauth #oauth2
• https://twitter.com/kenkeiter/status/285166880501678081
  

  @kenkeiter Yea, you have to make a bunch of decisions even after reading the spec, Bearer/MAC are split into their own docs too. Also check out http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified for a simplified version.

  Portland, OR, USA

  Sat, Dec 29, 2012 3:38pm -08:00 #oauth2 #oauth