Aaron Parecki

#oauth

Hi, I'm Aaron Parecki. I write about OAuth here, and I give talks about OAuth 2.0. Below you'll find my recent posts about various OAuth-related things, including talks I'm giving. I've also written two community resources about OAuth:

OAuth 2.0 Simplified is a guide to OAuth 2.0 focused on writing clients that gives a clear overview of the spec at an introductory level.

In 2017, I published a longer version of this guide as a book, available on oauth.com as well as a print version. The book guides you through building an OAuth server, and covers many details that are not part of the spec. I published this book in conjunction with Okta.

Portland, Oregon

Sat, Feb 4, 2017 11:35am -08:00 #oauth #oauth2

Steve Hutchinson https://twitter.com/IdentityHutch

Nice rebuttal by @scottbrady91 from @rskltd to Okta's “Nobody Cares About #OAuth or #OpenID Connect.” I agree that developers should care and #identity professionals should elevate the discourse. @idpro_org @openid #OIDC https://www.scottbrady91.com/OAuth/Why-Developers-Do-Care-About-OAuth-and-OpenID-Connect

Portland, Oregon • 42°F

Mon, Jan 28, 2019 3:57pm +00:00 (liked on Mon, Jan 28, 2019 8:04am -08:00) #OAuth #OpenID #identity #OIDC
Scott Brady https://twitter.com/scottbrady91

Why Developers Do Care About OAuth and OpenID Connect https://www.scottbrady91.com/OAuth/Why-Developers-Do-Care-About-OAuth-and-OpenID-Connect @oktadev @openid #oauth

Portland, Oregon • 42°F

Mon, Jan 28, 2019 1:22pm +00:00 (liked on Mon, Jan 28, 2019 8:03am -08:00) #oauth
Why Developers Do Care About OAuth and OpenID Connect - Scott Brady (www.scottbrady91.com)

Mon, Jan 28, 2019 8:02am -08:00 #oauth #okta
Chaining Tricky OAuth Exploitation To Stored XSS – Rohan Aggarwal – Medium (medium.com)

Sun, Jan 27, 2019 4:48pm -08:00 #oauth #security #xss
If you've ever needed a link to send someone to explain why OAuth secrets aren't safe in mobile apps, I made you a thing: https://developer.okta.com/blog/2019/01/22/oauth-api-keys-arent-safe-in-mobile-apps

San Francisco, California, USA • 59°F

13 likes 10 reposts 3 replies

Tue, Jan 22, 2019 4:09pm -08:00 #oauth #oauth2 #api #security
The State of the Implicit Flow in OAuth2 | brockallen (brockallen.com)

Thu, Jan 3, 2019 2:27pm -08:00 #oauth #oauth2
A pretty good step-by-step walkthrough of the @oauth2 PKCE flow by @afitnerd https://developer.okta.com/blog/2018/12/13/oauth-2-for-native-and-mobile-apps

and yes it's pronounced "pixie"

Springfield Gardens, New York • 50°F

2 likes 3 reposts 1 reply 1 mention

Fri, Dec 14, 2018 12:19pm -05:00 #oauth #pkce
New York (JFK) to Los Angeles (LAX)

December 14, 2018 from 7:10am (-0500) to 10:36am (-0800)

Alaska Flight 420

Los Angeles (LAX) to Portland (PDX)

December 14, 2018 from 11:00am to 1:35pm (-0800)

Alaska Flight 1795

Portland Intl in Portland

permalink #oauth #okta
Take 3 minutes to learn how OAuth access tokens are like a hotel keycard! 🔐💳
https://www.youtube.com/watch?v=BNEoKexlmA4 (Filmed last week at my hotel!)

10 likes 7 reposts 1 reply

Thu, Dec 13, 2018 2:54pm -05:00 #oauth
What is going on with OAuth 2.0? And why you should not use it for authentication. (medium.com)

Thu, Dec 13, 2018 1:16pm -05:00 #oauth
Seattle (SEA) to Portland (PDX)

December 11, 2018 from 6:55pm to 7:46pm (-0800)

Alaska Flight 2627

Portland (PDX) to New York (JFK)

December 11, 2018 at 9:22pm (-0800) until Dec 12 at 5:27am (-0500)

Alaska Flight 450

John F Kennedy Intl in New York

permalink #okta #w3c #oauth
W3C Workshop on Strong Authentication & Identity

Dec

10

Dec

11

December 10-11, 2018

Microsoft Building 27

Redmond, Washington, US

permalink #oauth #openid
Portland (PDX) to Seattle (SEA)

December 9, 2018 from 9:20pm to 10:19pm (-0800)

Alaska Flight 2268

Seattle Tacoma Intl in Seattle

permalink #okta #w3c #oauth
Tom Scavo https://twitter.com/trscavo

The #OAuth implicit flow is taking a beating right now. See: OAuth 2.0 Security Best Current Practice https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10 and OAuth 2.0 for Browser-Based Apps https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-01

Los Angeles, California • 52°F

Thu, Dec 6, 2018 11:49pm +00:00 (liked on Thu, Dec 6, 2018 5:03pm -08:00) #OAuth
NFC Card Emulation with ACR122u(PN532) (salmg.net)

Sun, Dec 2, 2018 3:04pm -08:00 #nfc #security #oauth
https://www.ietf.org/mail-archive/web/oauth/current/msg18477.html

OAUTH-WG

On Wed, Nov 7, 2018 at 7:20 AM Joseph Heenan <joseph at authlete.com> wrote:

> It may be worth slightly rewording 7.2 as it may encourage a growing misconception that all native apps must be public clients. With many devices now having embedded HSMs, we’ve seen increasing interest in mobile apps being dynamically (per-install) registered oauth2 private clients, and that model has a lot of advantages. (I’m not sure if we might see a similar model evolving for web apps.)

That's a great point, thanks. I've removed the reference to native apps being public clients since it doesn't really add anything to this spec if I have to caveat the description.

On Thu, Nov 15, 2018 at 12:58 PM Torsten Lodderstedt <torsten at lodderstedt.net> wrote:

> > > First of all the AS decides whether it issues refresh tokens or not. Having the ability does not mean the AS must do it. If you feel it’s safer to not do it. Fine.
> > Sure, and this should be mentioned then somewhere (either in the threats doc or in this proposed best practice doc). Not all end developers using these protocols fully understand the ramifications.
> @Aaron: I suggest this goes to the SPA BCP since this is client specific.

Thanks, I agree that this document should include some recommendations around refresh token handling. Looking at the discussion in this thread, it seems there are a few different strategies folks are taking. Since it seems like there isn't a strong consensus, it sounds like this would be better suited for the "Security Considerations" section, and to not make MUST/SHOULD recommendations, but rather just point out the issues. Any thoughts on that before I take a stab at writing something?

I've incorporated some of the other feedback here and published an updated version:

https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-01

Thanks for the feedback so far.

Portland, Oregon

Mon, Nov 19, 2018 6:09pm -08:00 #oauth
(datatracker.ietf.org)

Portland, Oregon • 52°F

Mon, Nov 19, 2018 3:49pm -08:00 #ietf #oauth #ietf103
Alright, I think we can call it. Between @tlodderstedt's OAuth Security Best Practices and OAuth 2.0 for Browser Apps, the Implicit Flow is dead.

https://tools.ietf.org/html/draft-ietf-oauth-security-topics-09

https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-00

https://medium.com/@torsten_lodderstedt/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926

Portland, Oregon, USA • 36°F

4 likes 5 reposts 2 mentions

Fri, Nov 9, 2018 8:57am -08:00 #oauth #oauth2
https://www.ietf.org/mail-archive/web/oauth/current/msg18468.html

OAUTH-WG

Thanks Hannes,

Since I wasn't able to give an intro during the meeting today, I'd like to share a little more context about this here as well.

At the Internet Identity Workshop in Mountain View last week, I led a session to collect feedback on recommendations for OAuth for browser based apps. During the session, we came up with a list of several points based on the collective experience of the attendees. I then tried to address all those points in this draft.

The goal of this is not to specify any new behavior, but rather to limit the possibilities that the existing OAuth specs provide, to ensure a secure implementation in browser based apps.

Thanks in advance for your review and feedback!

Portland, Oregon • 47°F

Tue, Nov 6, 2018 11:13am +01:00 #oauth
IETF 103 OAuth Meeting

Nov

6

November 6, 2018 11:20am - 12:20pm (+0700)

permalink #oauth

older