Aaron Parecki

#oauth

• 

  Hi, I'm Aaron Parecki. I write about OAuth here, and I give talks about OAuth 2.0. Below you'll find my recent posts about various OAuth-related things, including talks I'm giving. I've also written two community resources about OAuth:

  OAuth 2.0 Simplified is a guide to OAuth 2.0 focused on writing clients that gives a clear overview of the spec at an introductory level.

  In 2017, I published a longer version of this guide as a book, available on oauth.com as well as a print version. The book guides you through building an OAuth server, and covers many details that are not part of the spec. I published this book in conjunction with Okta.

  Portland, Oregon

  Sat, Feb 4, 2017 11:35am -08:00 #oauth #oauth2

• Portland (PDX) to Oakland (OAK)

  January 23, 2017 from 4:40pm to 6:39pm (-0800)

  Alaska Flight 2563

  

  Metropolitan Oakland Intl in Oakland

  permalink #oauth #consulting
• Jared Hanson https://twitter.com/jaredhanson   •   Oct 1

  There's an existing "oauth2-token" link rel which would be nice to use instead of "token_endpoint" https://tools.ietf.org/html/draft-wmills-oauth-lrdd-07#section-3.2
  

  @jaredhanson oh funny! I got token_endpoint from OpenID Connect: http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata I will take a look at the OAuth 2 link rels tho.

  Portland, Oregon, USA

  Sat, Oct 1, 2016 7:14am -07:00 #oauth2 #webmention #oauth
• Support Universal Links (developer.apple.com)

  

  Wed, Sep 14, 2016 10:41am -07:00 #oauth #apps #ios
• 

  a little light beach reading: "OAuth 2.0 for Native Apps" #oauth

  

  Cannon Beach, Oregon, USA

  6 likes 2 replies

  Tue, Sep 13, 2016 3:43pm -07:00 #oauth
• https://twitter.com/glenndayton/status/771107728290742272
  

  @glenndayton Thanks! Glad you like it! I just published a more thorough guide on https://oauth.com you might want to look at too!

  Portland, Oregon, USA

  2 replies

  Sun, Sep 4, 2016 9:44am -07:00 #oauth
• Las Vegas (LAS) to Portland (PDX)

  September 1, 2016 from 6:50am to 9:00am (-0700)

  Alaska Flight 629

  

  Portland Intl in Portland

  permalink #oauth #okta #oktane #oktane16
• 

  Happy to announce https://oauth.com - a guide to building OAuth 2.0 servers! #oktane16

  

  Las Vegas, Nevada, USA

  33 likes 22 reposts 2 replies 3 mentions

  Tue, Aug 30, 2016 10:01am -07:00 #oktane16 #oauth #oauth2
• Oktane 2016

  Aug

  29

  Aug

  30

  Aug

  31

  August 29-31, 2016
  3 days

  Aria Resort

  Las Vegas, NV

  permalink #okta #oktane #oauth #oktane16
• 

  Just launched a big reorganization of https://oauth.net which should make it easier to find things! 🔒 #oauth2 #oktane16

  Las Vegas, Nevada, USA

  7 likes 2 reposts

  Mon, Aug 29, 2016 11:44am -07:00 #oauth2 #oktane16 #oauth
• Portland (PDX) to Seattle (SEA)

  August 28, 2016 from 1:00pm to 1:46pm (-0700)

  Alaska Flight 2210

  Seattle (SEA) to Las Vegas (LAS)

  August 28, 2016 from 4:40pm to 6:57pm (-0700)

  Alaska Flight 604

  

  Mc Carran Intl in Las Vegas

  permalink #oauth #okta #oktane #oktane16
• https://mailarchive.ietf.org/arch/msg/oauth/qlPnrZJU38R3pwqm_bvV9CW3UMY
  

  In reading this over, I noticed a subtle difference from the Facebook and
  Google implementations, and I'm wondering if this was intentional or not.
  
  Section 3.1 says "The authorization server prompts the end-user to
  authorize the client's request by entering the end-user code provided by
  the client." The introduction has even more explicitly different wording:
  "(D) ... If the end-user agrees to the client's access request, the
  end-user enters the end-user code provided by the client."
  
  However this is different from Facebook and Google's implementations, which
  work as follows:
  
  - Device shows the verification URI and code to the user
  - The user visits the URL and is prompted to sign in to the service
  (Google has the extra step of then choosing which Youtube account to use)
  - The user is then prompted to enter the device code
  - After entering the device code, the authorization prompt is displayed
  
  In reading this draft, the implication is that the act of entering the code
  also is the authorization. The problem is that the server won't know things
  like the scope or application name until after the code is entered, so it
  can't properly show an authorization prompt.
  
  I think this needs to be reworded to separate entering the code from
  showing the authorization prompt. I believe it is only a wording change.
  Maybe something more like:
  
  3.1 "The authorization server prompts the end-user to enter the end-user
  code provided by the client, after which it prompts the end-user to
  authorize the client's request."
  
  and in the introduction:
  
  1. (D) "The authorization server authenticates the end-user (via the
  user-agent) and prompts the end-user to enter the end-user code provided by
  the client. The authorization server validates the end-user code and
  prompts the end-user to grant the client's access request."

  Portland, Oregon, USA

  Fri, Nov 13, 2015 12:50pm -08:00 #oauth
• Implementing OAuth 2.0 access tokens | NimbusDS Blog (nimbusds.com)

  Sat, Jul 4, 2015 12:18pm -07:00 #oauth2 #oauth
• 

  Well this is progress... an in-app browser that shows the address bar and shares system cookies

  

  Portland, Oregon, USA

  3 likes 1 repost

  Tue, Jun 9, 2015 12:10pm -07:00 #ios9 #oauth #oauth2 #ios
• Changes in iOS 9.0 (developer.apple.com)

  SFSafariViewController can be used to display web content within your app. It shares cookies and other website data with Safari, and has many of Safari's great features, such as Safari AutoFill and Safari Reader. Unlike Safari itself, the SFSafariViewController UI is tailored for displaying a single page, featuring a Done button that takes users back to where they were in your app.

  Mon, Jun 8, 2015 3:00pm -07:00 #oauth #oauth2 #ios #ios9
• 

  How long do you think until things like this are possible? #homeautomation #quantifiedself #oauth

  

  7 likes 1 reply

  Fri, May 1, 2015 11:47pm -07:00 #oauth #quantifiedself #homeautomation
• Kyle Mahan https://kylewm.com

  The cool thing about web APIs is how they all implement signing, especially of multipart/form-data just a little bit differently.

  Mon, Apr 13, 2015 10:51am -07:00 (liked on Mon, Apr 13, 2015 11:21am -07:00) #kvetch #oauth
• 

  @eyeficard Help! I can't connect my card to Flickr anymore! The auth screen pops up inside the app (which is bad OAuth practice) and now Yahoo rejects the request!

  

  Portland, Oregon, USA

  2 replies

  Thu, Feb 26, 2015 9:20am -08:00 #eyefi #flickr #oauth
• Janrain: User management platform for the social web (rpxnow.com)

  OAuth provider guide

  Wed, Feb 11, 2015 12:13pm -08:00 #oauth #oauth2
• 

  OAuth: better than NoAuth.

  Portland, Oregon, USA

  6 likes 2 reposts 3 replies

  Fri, Jan 30, 2015 3:20pm -08:00 #oauth

• So you implemented an OAuth 2.0 API...

  While OAuth 2.0 is a good framework for building an API, the spec itself leaves many things un-specified, and it's up to the implementer to make a decision based on their own security requirements. As such, most OAuth 2.0 implementations are not interoperable, which is often cited as a failure of OAuth 2.0. On the other hand, the current state of OAuth 2.0 implementations is that they are often similar enough that developers don't need to learn too many new concepts when dealing with them.

  continue reading...

  19 likes 6 reposts 3 replies 5 mentions

  Thu, Jan 15, 2015 12:15pm -08:00 #oauth #oauth2 #standards #web #authentication #checklist