Aaron Parecki

#oauth

• 

  Hi, I'm Aaron Parecki. I write about OAuth here, and I give talks about OAuth 2.0. Below you'll find my recent posts about various OAuth-related things, including talks I'm giving. I've also written two community resources about OAuth:

  OAuth 2.0 Simplified is a guide to OAuth 2.0 focused on writing clients that gives a clear overview of the spec at an introductory level.

  In 2017, I published a longer version of this guide as a book, available on oauth.com as well as a print version. The book guides you through building an OAuth server, and covers many details that are not part of the spec. I published this book in conjunction with Okta.

  Portland, Oregon

  Sat, Feb 4, 2017 11:35am -08:00 #oauth #oauth2

• Portland (PDX) to Phoenix (PHX)

  November 4, 2023 from 2:02pm to 4:43pm (-0700)

  American Airlines Flight 3231

  Phoenix (PHX) to London (LHR)

  November 4, 2023 at 8:30pm (-0700) until Nov 5 at 1:20pm (+0000)

  British Airways Flight 288

  London (LHR) to Prague (PRG)

  November 5, 2023 from 3:00pm (+0000) to 6:00pm (+0100)

  British Airways Flight 856

  

  Ruzyne in Prague

  permalink #okta #ietf #oauth
• IETF 118

  Nov

  4

  Nov

  …

  Nov

  10

  November 4-10, 2023
  7 days

  Hilton Prague Old Town

  Praha, Hlavní město Praha, CZE

  permalink #oauth #ietf #ietf118 #okta
• Prague

  Nov

  2

  Nov

  …

  Nov

  11

  November 2-11, 2023
  10 days

  Hilton Prague Old Town

  Praha, Hlavní město Praha, CZE

  permalink #ietf #ietf118 #oauth #okta
• Aaron Parecki https://aaronparecki.com/   •   Oct 26

  This is a good writeup on some sneaky vulnerabilities in OAuth implementations, but ultimately is just a simple access token injection attack: https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts
  

  tl;dr: Don't accept access tokens in your redirect URI (don't use the implicit flow)
  
  PKCE solves this attack and is enforced by the server rather than relying on client developers to "verify the access token" as described in the post

  Portland, Oregon, USA • 42°F

  4 likes 2 reposts 1 reply

  Thu, Oct 26, 2023 8:51am -07:00 #oauth
• 

  This is a good writeup on some sneaky vulnerabilities in OAuth implementations, but ultimately is just a simple access token injection attack: https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts

  Portland, Oregon, USA • 42°F

  6 likes 8 reposts 2 replies 1 mention

  Thu, Oct 26, 2023 8:50am -07:00 #oauth
• 

  The deadline to submit drafts ahead of the IETF meeting in November just passed, and I submitted my last one with 30 minutes to spare! Here are all the docs I'll be discussing:
  
  https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html
  
  https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-01.html
  
  https://www.ietf.org/archive/id/draft-parecki-oauth-first-party-apps-00.html
  
  https://www.ietf.org/archive/id/draft-parecki-oauth-metadata-for-nested-flows-00.html

  Portland, Oregon, USA

  6 likes 3 reposts 1 reply 1 mention

  Mon, Oct 23, 2023 5:15pm -07:00 #oauth #ietf
• OAuth WG

  OAuth for Browser-Based Apps Draft 15

  After a lot of discussion on the mailing list over the last few months, and after some excellent discussions at the OAuth Security Workshop, we've been working on revising the draft to provide clearer guidance and clearer discussion of the threats and consequences of the various architectural patterns in the draft.

  continue reading...

  1 mention

  Mon, Oct 23, 2023 9:12am -07:00 #oauth #ietf
• San Diego (SAN) to Portland (PDX)

  October 19, 2023 from 12:58pm to 3:39pm (-0700)

  Alaska Flight 1177

  

  Portland Intl in Portland

  permalink #fido #okta #oauth
• Authenticate 2023

  Oct

  16

  Oct

  17

  Oct

  18

  October 16-18, 2023
  3 days

  Omni La Costa Resort & Spa

  Carlsbad, California, US

  permalink #okta #oauth #fido
• San Diego

  Oct

  16

  Oct

  …

  Oct

  19

  October 16-19, 2023
  4 days

  Omni La Costa Resort & Spa

  Carlsbad, California, US

  permalink #fido #okta #oauth
• Portland (PDX) to San Diego (SAN)

  October 16, 2023 from 7:00am to 9:26am (-0700)

  Alaska Flight 1074

  

  San Diego Intl in San Diego

  permalink #fido #oauth #okta
• San Jose (SJC) to Portland (PDX)

  October 12, 2023 from 6:25pm to 8:14pm (-0700)

  Alaska Flight 2144

  

  Portland Intl in Portland

  permalink #okta #oauth #openid #identity #iiw
• Internet Identity Workshop

  Oct

  10

  Oct

  11

  Oct

  12

  October 10-12, 2023
  3 days

  Computer History Museum

  Mountain View, California, US

  permalink #identity #openid #oauth #iiw #okta
• Portland (PDX) to San Jose (SJC)

  October 9, 2023 from 4:00pm to 5:45pm (-0700)

  Alaska Flight 2144

  

  Norman Y Mineta San Jose Intl in San Jose

  permalink #okta #openid #iiw #oauth #identity
• Mountain View

  Oct

  9

  Oct

  …

  Oct

  12

  October 9-12, 2023
  4 days

  Computer History Museum

  Mountain View, California, US

  permalink #identity #iiw #oauth #openid #okta
• Device Bound Session Credentials explainer (github.com)

  Tue, Aug 29, 2023 3:50pm -07:00 #cookies #browsers #security #oauth
• MSEdgeExplainers/BindingContext/explainer.md at main · MicrosoftEdge/MSEdgeExplainers (github.com)

  Tue, Aug 29, 2023 3:49pm -07:00 #dpop #bpop #oauth #security #cookies #browsers
• London (LHR) to Portland (PDX)

  August 25, 2023 from 3:30pm (+0100) to 5:20pm (-0700)

  British Airways Flight 267

  

  Portland Intl in Portland

  permalink #oauth #security
• OAuth Security Workshop

  Aug

  22

  Aug

  23

  Aug

  24

  August 22-24, 2023
  3 days

  Royal Holloway

  Runnymede, England, GBR

  permalink #oauth #security #osw
• Portland (PDX) to London (LHR)

  August 18, 2023 at 7:10pm (-0700) until Aug 19 at 12:35pm (+0100)

  British Airways Flight 266

  

  Heathrow in London

  permalink #oauth #security