Aaron Parecki

#oauth

Hi, I'm Aaron Parecki. I write about OAuth here, and I give talks about OAuth 2.0. Below you'll find my recent posts about various OAuth-related things, including talks I'm giving. I've also written two community resources about OAuth:

OAuth 2.0 Simplified is a guide to OAuth 2.0 focused on writing clients that gives a clear overview of the spec at an introductory level.

In 2017, I published a longer version of this guide as a book, available on oauth.com as well as a print version. The book guides you through building an OAuth server, and covers many details that are not part of the spec. I published this book in conjunction with Okta.

Portland, Oregon

Sat, Feb 4, 2017 11:35am -08:00 #oauth #oauth2

https://www.ietf.org/mail-archive/web/oauth/current/msg18477.html

OAUTH-WG

On Wed, Nov 7, 2018 at 7:20 AM Joseph Heenan <joseph at authlete.com> wrote:

> It may be worth slightly rewording 7.2 as it may encourage a growing misconception that all native apps must be public clients. With many devices now having embedded HSMs, we’ve seen increasing interest in mobile apps being dynamically (per-install) registered oauth2 private clients, and that model has a lot of advantages. (I’m not sure if we might see a similar model evolving for web apps.)

That's a great point, thanks. I've removed the reference to native apps being public clients since it doesn't really add anything to this spec if I have to caveat the description.

On Thu, Nov 15, 2018 at 12:58 PM Torsten Lodderstedt <torsten at lodderstedt.net> wrote:

> > > First of all the AS decides whether it issues refresh tokens or not. Having the ability does not mean the AS must do it. If you feel it’s safer to not do it. Fine.
> > Sure, and this should be mentioned then somewhere (either in the threats doc or in this proposed best practice doc). Not all end developers using these protocols fully understand the ramifications.
> @Aaron: I suggest this goes to the SPA BCP since this is client specific.

Thanks, I agree that this document should include some recommendations around refresh token handling. Looking at the discussion in this thread, it seems there are a few different strategies folks are taking. Since it seems like there isn't a strong consensus, it sounds like this would be better suited for the "Security Considerations" section, and to not make MUST/SHOULD recommendations, but rather just point out the issues. Any thoughts on that before I take a stab at writing something?

I've incorporated some of the other feedback here and published an updated version:

https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-01

Thanks for the feedback so far.

Portland, Oregon

Mon, Nov 19, 2018 6:09pm -08:00 #oauth
(datatracker.ietf.org)

Portland, Oregon • 52°F

Mon, Nov 19, 2018 3:49pm -08:00 #ietf #oauth #ietf103
Alright, I think we can call it. Between @tlodderstedt's OAuth Security Best Practices and OAuth 2.0 for Browser Apps, the Implicit Flow is dead.

https://tools.ietf.org/html/draft-ietf-oauth-security-topics-09

https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-00

https://medium.com/@torsten_lodderstedt/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926

Portland, Oregon, USA • 36°F

4 likes 5 reposts 2 mentions

Fri, Nov 9, 2018 8:57am -08:00 #oauth #oauth2
https://www.ietf.org/mail-archive/web/oauth/current/msg18468.html

OAUTH-WG

Thanks Hannes,

Since I wasn't able to give an intro during the meeting today, I'd like to share a little more context about this here as well.

At the Internet Identity Workshop in Mountain View last week, I led a session to collect feedback on recommendations for OAuth for browser based apps. During the session, we came up with a list of several points based on the collective experience of the attendees. I then tried to address all those points in this draft.

The goal of this is not to specify any new behavior, but rather to limit the possibilities that the existing OAuth specs provide, to ensure a secure implementation in browser based apps.

Thanks in advance for your review and feedback!

Portland, Oregon • 47°F

Tue, Nov 6, 2018 11:13am +01:00 #oauth
IETF 103 OAuth Meeting

Nov

6

November 6, 2018 11:20am - 12:20pm (+0700)

permalink #oauth
IETF 103 OAuth Meeting

Nov

5

November 5, 2018 9:00am - 11:00am (+0700)

permalink #oauth
San Jose (SJC) to Portland (PDX)

October 26, 2018 from 9:10am to 10:45am (-0700)

Alaska Flight 407

Portland Intl in Portland

permalink #oauth #okta #iiw
Listening to @tlodderstedt present some new OAuth 2.0 Security recommendations #iiw

Mountain View, California, USA • 60°F

2 likes

Thu, Oct 25, 2018 10:06am -07:00 #oauth #iiw
I'll be leading a session on OAuth for single page apps at 10:30! Room i. We'll try to come up with a list of best practices! #iiw

Mountain View, California, USA • 57°F

5 likes 2 reposts

Wed, Oct 24, 2018 9:59am -07:00 #oauth #iiw
Making OAuth Work on the Open Web

Oct

24

October 24, 2018 12:00am (+0000)

Computer History Museum

Mountain View, California, US

Internet Identity Workshop 27

View Slides

permalink #oauth #indieauth
Moving On from OAuth 2? – Justin Richer – Medium (medium.com)

Tue, Oct 23, 2018 10:47am -07:00 #oauth #oauth2 #iiw
Nürnberg (NUE) to Frankfurt (FRA)

October 22, 2018 from 11:15am to 12:00pm (+0200)

Lufthansa Flight 147

Frankfurt (FRA) to Seattle (SEA)

October 22, 2018 from 2:25pm (+0200) to 4:10pm (-0700)

Condor Flight 2032

Seattle (SEA) to San Jose (SJC)

October 22, 2018 from 5:30pm to 7:33pm (-0700)

Alaska Flight 322

Norman Y Mineta San Jose Intl in San Jose

permalink #oauth #indiewebcamp #okta #iiw
Understanding and Implementing OAuth 2.0

Oct

18

October 18, 2018 9:00am - 4:00pm (+0200)

tollwerk GmbH | TYPO3- & Werbeagentur Nürnberg

Nürnberg, Bayern, DE

permalink #oauth
Portland (PDX) to Seattle (SEA)

October 15, 2018 from 2:15pm to 3:08pm (-0700)

Alaska Flight 2642

Seattle (SEA) to Frankfurt (FRA)

October 15, 2018 at 6:10pm (-0700) until Oct 16 at 1:35pm (+0200)

Condor Flight 2033

Frankfurt (FRA) to Nürnberg (NUE)

October 16, 2018 from 5:20pm to 6:00pm (+0200)

Lufthansa Flight 148

Nürnberg in Nürnberg

permalink #oauth #indiewebcamp
Congrats @strava on some great looking #OAuth security updates to your API! https://developers.strava.com/docs/oauth-updates/

Portland, Oregon, USA • 64°F

2 likes 2 reposts

Mon, Oct 15, 2018 1:45pm -07:00 #oauth
Next week I'll be hosting a workshop on @OAuth2 in Germany as part of Nürnberg Web Week festival @nueww! It's filling up fast but there are still some spots left! https://nuernberg.digital/festival/programm/2018/understanding-and-implementing-oauth-2-0-mit-aaron-parecki-42/

Columbus, Ohio, USA • 72°F

11 likes 6 reposts 3 replies

Wed, Oct 10, 2018 7:32pm -04:00 #oauth #oauth2
Cincinnati (CVG) to Chicago (ORD)

October 5, 2018 from 6:52am (-0400) to 7:24am (-0500)

American Airlines Flight 4094

Chicago (ORD) to Portland (PDX)

October 5, 2018 from 9:15am (-0500) to 11:49am (-0700)

Alaska Airlines Flight 635

Portland Intl in Portland

permalink #oauth #okta
Portland (PDX) to Seattle (SEA)

October 3, 2018 from 9:30am to 10:35am (-0700)

Alaska Airlines Flight 3457

Seattle (SEA) to Chicago (ORD)

October 3, 2018 from 12:15pm (-0700) to 6:30pm (-0500)

Alaska Airlines Flight 22

Chicago (ORD) to Cincinnati (CVG)

October 3, 2018 at 10:15pm (-0500) until Oct 4 at 12:19am (-0400)

American Airlines Flight 3507

Cincinnati Northern Kentucky Intl in Cincinnati

permalink #okta #oauth
Newark (EWR) to Seattle (SEA)

September 30, 2018 from 6:00am (-0400) to 9:01am (-0700)

Alaska Airlines Flight 31

Seattle (SEA) to Portland (PDX)

September 30, 2018 from 9:50am to 11:01am (-0700)

Alaska Airlines Flight 393

Portland Intl in Portland

permalink #oauth #indiewebcamp #okta
New Haven, CT to New York Penn Station

September 26, 2018 from 10:36am to 12:11pm (-0400)

Amtrak Train 171

New York Penn Station

permalink #oauth #indiewebcamp #okta

older