Ō̴̡̨͍͕̠̹̘͖͓̭̝̰̖͉̬̫͍̝̰̟͖͖̞͇̟̻̫͇̠̯̋̋̂ͅͅA̷̡̧͎̫̬͖̠͍̼̗̠͊̉̏̓̈́̂̀̈́͆͘͜uth @oktadev oauth.wtf oauth.net 🎥 livestreaming youtube.com/aaronpk aaronpk.tv 💛 #indieweb 🐘🦋
Portland, Oregon
Joined April 2008
- Tweets 11,388
- Following 1,223
- Followers 6,415
- Likes 9,609
followup question:
{fake company}.lol
{fake company}.tube
{fake company}.beer
{fake company}.cool
5
4
On a plane to Boston! ✈️ I'll be giving a talk at @DevConf_us this weekend!
If you're in the area I'd love to meet up and talk about all things #oauth #indieweb and more!
1
4
Dear @AlaskaAir gate agents,
Please always prefix your boarding announcements with the flight number and destination.
Otherwise your announcement that's broadcast over several gates causes complete panic when people think their group number has already boarded.
1
1
what if they had been called #waffletags instead? @chrismessina?
2
2
In any case, having another consumer deployed will only help make the case to add it to the official registry! Especially when a few podcasts start to publish it too.
That’s a good question! I suspect it’s because there weren’t enough examples of publishers and consumers, but I’m having trouble finding a reference to the formal process to get things added to that list.
It's been listed here for ages! microformats.org/wiki/existi…
Also I just added it to the list of implementations here microformats.org/wiki/rel-pa…
1
This is great news for podcaster creators! Now podcasters have an easy way to let listeners support the podcast financially! Thanks for taking the lead on this @marcoarment, I hope other podcast apps follow suit! nitter.vloup.ch/marcoarment/stat…
6
15
Using rel=payment would be great! There's some research and documentation on that here indieweb.org/payment
1
1
17
Regular OAuth 2.0 also supports the Authorization Code flow with no secret. In fact, many companies recommend Auth Code w/no secret instead of Implicit.
IndieAuth is like taking Auth Code w/no secret and adding back some layers of security because of the client ID being a URL.
1
1
But, most importantly, the fact that IndieAuth uses a URL for the client ID means that you *do* authenticate the client in the initial Auth Code request, since the redirect URL has to match the domain or be registered. That's an improvement over OAuth with no secret.
1
1
Without the secret, there is no authentication of the client. PKCE solves this by using essentially an on-the-fly secret safe for use by mobile apps. IndieAuth *could* adopt the PKCE extension as well, tho afaik noone has done that yet.
Good question! The OAuth Authorization Code flow doesn't require a secret either. For example mobile apps can't use a secret, but still use the Auth Code flow. There are many benefits to the Auth Code flow over Implicit, I wrote some about that here developer.okta.com/blog/2018…
1
it also thickens hot sauce nicely
It’s hot sauce season again! Time to turn the amazing amount of tomatoes and carrots we get from the CSA into delicious hot sauce!
Recipe: aaronparecki.com/2018/08/05/…
2