Aaron Parecki

#oauth

• 

  Hi, I'm Aaron Parecki. I write about OAuth here, and I give talks about OAuth 2.0. Below you'll find my recent posts about various OAuth-related things, including talks I'm giving. I've also written two community resources about OAuth:

  OAuth 2.0 Simplified is a guide to OAuth 2.0 focused on writing clients that gives a clear overview of the spec at an introductory level.

  In 2017, I published a longer version of this guide as a book, available on oauth.com as well as a print version. The book guides you through building an OAuth server, and covers many details that are not part of the spec. I published this book in conjunction with Okta.

  Portland, Oregon

  Sat, Feb 4, 2017 11:35am -08:00 #oauth #oauth2

• Rome (FCO) to Dallas-Fort Worth (DFW)

  April 13, 2024 from 10:10am (+0200) to 2:35pm (-0500)

  American Airlines Flight 239

  Dallas-Fort Worth (DFW) to Las Vegas (LAS)

  April 13, 2024 from 6:53pm (-0500) to 7:50pm (-0700)

  American Airlines Flight 1771

  

  Mc Carran Intl in Las Vegas

  permalink #okta #oauth
• OAuth Security Workshop

  Apr

  10

  Apr

  11

  Apr

  12

  April 10-12, 2024
  3 days

  Auditorium Antonianum

  Roma, Lazio, IT

  permalink #oauth #osw
• Portland (PDX) to Dallas-Fort Worth (DFW)

  April 8, 2024 from 7:00am (-0700) to 12:44pm (-0500)

  Alaska Flight 392

  

  Dallas Fort Worth Intl in Dallas-Fort Worth

  permalink #okta #oauth
• Portland (PDX) to Dallas-Fort Worth (DFW)

  April 8, 2024 from 6:20am (-0700) to 12:04pm (-0500)

  American Airlines Flight 2216

  Dallas-Fort Worth (DFW) to Rome (FCO)

  April 8, 2024 at 2:50pm (-0500) until Apr 9 at 8:05am (+0200)

  American Airlines Flight 240

  

  Fiumicino in Rome

  permalink #oauth #okta
• Italy

  Apr

  8

  Apr

  …

  Apr

  13

  April 8-13, 2024
  6 days

  Metropolitan City of Rome Capital

  Roma, Lazio, ITA

  permalink #oauth #osw

• OAuth: "grant" vs "flow" vs "grant type"

  Is it called an OAuth "grant" or a "flow"? What about "grant type"?

  continue reading...

  1 like 5 reposts

  Fri, Mar 29, 2024 8:15am -07:00 #oauth #terminology
• IETF 119 Brisbane

  Mar

  16

  Mar

  …

  Mar

  22

  March 16-22, 2024
  7 days

  Brisbane

  Brisbane, Queensland, AU

  permalink #ietf #oauth #scim
• rdar://51091611: OAuth 2.0 redirection with Universal Links should NOT require user interaction (openradar.appspot.com)

  Fri, Dec 15, 2023 4:35pm -08:00 #ios #apple #oauth
• Prague (PRG) to London (LHR)

  November 11, 2023 from 7:05am (+0100) to 8:20am (+0000)

  British Airways Flight 853

  London (LHR) to Los Angeles (LAX)

  November 11, 2023 from 10:10am (+0000) to 1:25pm (-0800)

  British Airways Flight 283

  Los Angeles (LAX) to Portland (PDX)

  November 11, 2023 from 4:20pm to 6:48pm (-0800)

  Alaska Flight 3374

  

  Portland Intl in Portland

  permalink #okta #oauth #ietf

• My IETF 118 Agenda

  The sessions I will be attending and presenting at during IETF 118 in Prague

  continue reading...

  Mon, Nov 6, 2023 1:07pm +01:00 #ietf #oauth
• Portland (PDX) to Phoenix (PHX)

  November 4, 2023 from 2:02pm to 4:43pm (-0700)

  American Airlines Flight 3231

  Phoenix (PHX) to London (LHR)

  November 4, 2023 at 8:30pm (-0700) until Nov 5 at 1:20pm (+0000)

  British Airways Flight 288

  London (LHR) to Prague (PRG)

  November 5, 2023 from 3:00pm (+0000) to 6:00pm (+0100)

  British Airways Flight 856

  

  Ruzyne in Prague

  permalink #okta #ietf #oauth
• IETF 118

  Nov

  4

  Nov

  …

  Nov

  10

  November 4-10, 2023
  7 days

  Hilton Prague Old Town

  Praha, Hlavní město Praha, CZE

  permalink #oauth #ietf #ietf118 #okta
• Prague

  Nov

  2

  Nov

  …

  Nov

  11

  November 2-11, 2023
  10 days

  Hilton Prague Old Town

  Praha, Hlavní město Praha, CZE

  permalink #ietf #ietf118 #oauth #okta
• Aaron Parecki https://aaronparecki.com/   •   Oct 26

  This is a good writeup on some sneaky vulnerabilities in OAuth implementations, but ultimately is just a simple access token injection attack: https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts
  

  tl;dr: Don't accept access tokens in your redirect URI (don't use the implicit flow)
  
  PKCE solves this attack and is enforced by the server rather than relying on client developers to "verify the access token" as described in the post

  Portland, Oregon, USA • 42°F

  4 likes 2 reposts 1 reply

  Thu, Oct 26, 2023 8:51am -07:00 #oauth
• 

  This is a good writeup on some sneaky vulnerabilities in OAuth implementations, but ultimately is just a simple access token injection attack: https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts

  Portland, Oregon, USA • 42°F

  6 likes 8 reposts 2 replies 1 mention

  Thu, Oct 26, 2023 8:50am -07:00 #oauth
• 

  The deadline to submit drafts ahead of the IETF meeting in November just passed, and I submitted my last one with 30 minutes to spare! Here are all the docs I'll be discussing:
  
  https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html
  
  https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-01.html
  
  https://www.ietf.org/archive/id/draft-parecki-oauth-first-party-apps-00.html
  
  https://www.ietf.org/archive/id/draft-parecki-oauth-metadata-for-nested-flows-00.html

  Portland, Oregon, USA

  6 likes 3 reposts 1 reply 1 mention

  Mon, Oct 23, 2023 5:15pm -07:00 #oauth #ietf
• OAuth WG

  OAuth for Browser-Based Apps Draft 15

  After a lot of discussion on the mailing list over the last few months, and after some excellent discussions at the OAuth Security Workshop, we've been working on revising the draft to provide clearer guidance and clearer discussion of the threats and consequences of the various architectural patterns in the draft.

  continue reading...

  1 mention

  Mon, Oct 23, 2023 9:12am -07:00 #oauth #ietf
• San Diego (SAN) to Portland (PDX)

  October 19, 2023 from 12:58pm to 3:39pm (-0700)

  Alaska Flight 1177

  

  Portland Intl in Portland

  permalink #fido #okta #oauth
• Authenticate 2023

  Oct

  16

  Oct

  17

  Oct

  18

  October 16-18, 2023
  3 days

  Omni La Costa Resort & Spa

  Carlsbad, California, US

  permalink #okta #oauth #fido
• San Diego

  Oct

  16

  Oct

  …

  Oct

  19

  October 16-19, 2023
  4 days

  Omni La Costa Resort & Spa

  Carlsbad, California, US

  permalink #fido #okta #oauth