Aaron Parecki

#oauth

Hi, I'm Aaron Parecki. I write about OAuth here, and I give talks about OAuth 2.0. Below you'll find my recent posts about various OAuth-related things, including talks I'm giving. I've also written two community resources about OAuth:

OAuth 2.0 Simplified is a guide to OAuth 2.0 focused on writing clients that gives a clear overview of the spec at an introductory level.

In 2017, I published a longer version of this guide as a book, available on oauth.com as well as a print version. The book guides you through building an OAuth server, and covers many details that are not part of the spec. I published this book in conjunction with Okta.

Portland, Oregon

Sat, Feb 4, 2017 11:35am -08:00 #oauth #oauth2

https://mailarchive.ietf.org/arch/msg/oauth/qlPnrZJU38R3pwqm_bvV9CW3UMY

In reading this over, I noticed a subtle difference from the Facebook and
Google implementations, and I'm wondering if this was intentional or not.

Section 3.1 says "The authorization server prompts the end-user to
authorize the client's request by entering the end-user code provided by
the client." The introduction has even more explicitly different wording:
"(D) ... If the end-user agrees to the client's access request, the
end-user enters the end-user code provided by the client."

However this is different from Facebook and Google's implementations, which
work as follows:

- Device shows the verification URI and code to the user
- The user visits the URL and is prompted to sign in to the service
(Google has the extra step of then choosing which Youtube account to use)
- The user is then prompted to enter the device code
- After entering the device code, the authorization prompt is displayed

In reading this draft, the implication is that the act of entering the code
also is the authorization. The problem is that the server won't know things
like the scope or application name until after the code is entered, so it
can't properly show an authorization prompt.

I think this needs to be reworded to separate entering the code from
showing the authorization prompt. I believe it is only a wording change.
Maybe something more like:

3.1 "The authorization server prompts the end-user to enter the end-user
code provided by the client, after which it prompts the end-user to
authorize the client's request."

and in the introduction:

1. (D) "The authorization server authenticates the end-user (via the
user-agent) and prompts the end-user to enter the end-user code provided by
the client. The authorization server validates the end-user code and
prompts the end-user to grant the client's access request."

Portland, Oregon, USA

Fri, Nov 13, 2015 12:50pm -08:00 #oauth
Implementing OAuth 2.0 access tokens | NimbusDS Blog (nimbusds.com)

Sat, Jul 4, 2015 12:18pm -07:00 #oauth2 #oauth
Well this is progress... an in-app browser that shows the address bar and shares system cookies

Portland, Oregon, USA

3 likes 1 repost

Tue, Jun 9, 2015 12:10pm -07:00 #ios9 #oauth #oauth2 #ios
Changes in iOS 9.0 (developer.apple.com)

SFSafariViewController can be used to display web content within your app. It shares cookies and other website data with Safari, and has many of Safari's great features, such as Safari AutoFill and Safari Reader. Unlike Safari itself, the SFSafariViewController UI is tailored for displaying a single page, featuring a Done button that takes users back to where they were in your app.

Mon, Jun 8, 2015 3:00pm -07:00 #oauth #oauth2 #ios #ios9
How long do you think until things like this are possible? #homeautomation #quantifiedself #oauth

7 likes 1 reply

Fri, May 1, 2015 11:47pm -07:00 #oauth #quantifiedself #homeautomation
Kyle Mahan https://kylewm.com

The cool thing about web APIs is how they all implement signing, especially of multipart/form-data just a little bit differently.

Mon, Apr 13, 2015 10:51am -07:00 (liked on Mon, Apr 13, 2015 11:21am -07:00) #kvetch #oauth
@eyeficard Help! I can't connect my card to Flickr anymore! The auth screen pops up inside the app (which is bad OAuth practice) and now Yahoo rejects the request!

Portland, Oregon, USA

2 replies

Thu, Feb 26, 2015 9:20am -08:00 #eyefi #flickr #oauth
Janrain: User management platform for the social web (rpxnow.com)

OAuth provider guide

Wed, Feb 11, 2015 12:13pm -08:00 #oauth #oauth2
OAuth: better than NoAuth.

Portland, Oregon, USA

6 likes 2 reposts 3 replies

Fri, Jan 30, 2015 3:20pm -08:00 #oauth
So you implemented an OAuth 2.0 API...

While OAuth 2.0 is a good framework for building an API, the spec itself leaves many things un-specified, and it's up to the implementer to make a decision based on their own security requirements. As such, most OAuth 2.0 implementations are not interoperable, which is often cited as a failure of OAuth 2.0. On the other hand, the current state of OAuth 2.0 implementations is that they are often similar enough that developers don't need to learn too many new concepts when dealing with them.
continue reading...

19 likes 6 reposts 3 replies 5 mentions

Thu, Jan 15, 2015 12:15pm -08:00 #oauth #oauth2 #standards #web #authentication #checklist
[OAUTH-WG] OAuth Status (www.ietf.org)

Mon, Jan 12, 2015 1:24pm -08:00 #oauth #oauth2
OAuth 2.0 and Sign-In (www.cloudidentity.com)

OAuth 2.0 is not a sign-in protocol. Sign-in can be implemented by augmenting OAuth, and people routinely do so...

Sat, Jan 3, 2015 7:49pm -08:00 #oauth #oauth2 #authentication #internet
SpoofedMe Social Login Attack Discovered by IBM X-Force Researchers (securityintelligence.com)

Sun, Dec 7, 2014 9:36am -08:00 #oauth #security #oauth2
A Little Twitter Developer History

Back in the early days of Twitter, I noticed that several tweets I was seeing showed "via _____" next to the date, which linked to the application that was used to post the tweet. I thought "hey that's a clever way to give credit to applications" and thought it would be a good way to get people to discover the Twitter app I was creating at the time.
continue reading...

Sun, Nov 23, 2014 4:30pm -08:00 #twitter #oauth
Continuing last weekend's documentation of all the un-specified parts of OAuth 2.0, things were going pretty well until I hit the "Security Considerations" section, which basically recommends but doesn't require a whole bunch of things. Basically this means an API can be fully OAuth 2.0 compliant and also completely insecure.

If you want to know more, keep an eye out for this blog post. Or hire me as an independent OAuth consultant and I'd gladly spend a day with you.

Portland, Oregon, USA

14 likes 6 replies

Sat, Nov 22, 2014 7:23pm -08:00 #oauth2 #oauth
Justin Richer http://bspk.io/

The article on OAuth and Authentication that I helped write/edit is online now: http://oauth.net/articles/authentication/ (thanks to @aaronpk for publishing!)

2 mentions

Sun, Nov 2, 2014 11:22pm -05:00 (reposted on Sun, Nov 2, 2014 8:25pm -08:00) #oauth #oauth2
Launched some updates to the documentation at http://oauth.net/documentation/ with the OAuth group tonight! Will hopefully have more improvements to the site soon! #iiw

San Francisco, California, USA

3 likes 1 repost

Wed, May 7, 2014 2:18am -07:00 #iiw #oauth
OAuth meeting minutes (www.ietf.org)

Wed, Mar 5, 2014 8:29am -08:00 #ietf #oauth #oauth2
Kevin Marks 🏠kevinmarks.com xoxo.zone/@KevinMarks https://twitter.com/kevinmarks • Feb 27
@cdixon obligatory sixteen year old dilbert http://dilbert.com/strips/comic/1996-01-11/

@kevinmarks @cdixon What we really need is OAuth for payments. Generate an authorization for a specific amount and give the authorization to the recipient.

Portland, Oregon, USA

3 likes 1 repost

Wed, Feb 26, 2014 10:45pm -08:00 #oauth
Jason Cooper https://twitter.com/JLCooper2 • Dec 10
@aaronpk What licence is the OAuth logo used on http://oauth.net available as? (We are wanting to use it on a poster)

@JLCooper2 Feel free! The logo is released under the Creative Commons Attribution ShareAlike 3.0 license. http://creativecommons.org/licenses/by-sa/3.0/

Portland, OR, USA

Tue, Dec 10, 2013 2:37pm -08:00 #oauth

older

Aaron Parecki

#oauth

So you implemented an OAuth 2.0 API...

A Little Twitter Developer History