Ō̴̡̨͍͕̠̹̘͖͓̭̝̰̖͉̬̫͍̝̰̟͖͖̞͇̟̻̫͇̠̯̋̋̂ͅͅA̷̡̧͎̫̬͖̠͍̼̗̠͊̉̏̓̈́̂̀̈́͆͘͜uth @oktadev oauth.wtf oauth.net 🎥 livestreaming youtube.com/aaronpk aaronpk.tv 💛 #indieweb 🐘🦋
Portland, Oregon
Joined April 2008
- Tweets 11,388
- Following 1,223
- Followers 6,415
- Likes 9,609
as someone who decided to switch to windows just for video editing, I agree with this list.
Except for: screen shots, there's a print screen button!
iMessage and Airdrop mean so many more hoops to get stuff from my phone to my laptop
3
seriously! It's like one of the first things you learn when developing web apps. It's an embarrassing oversight frankly.
holy crap, that even applies to using personal devices on company property.
which I guess isn't that significant right now but still.
4
Same, and some of them are from really suspicious looking Twitter accounts. I haven't clicked, but I'm wondering if the sites they promote are some sort of tracking network. Kinda want to dig into this now.
1
I wrote an in-depth explanation of the "Sign In with Apple" Zero-Day that was revealed by a security researcher this weekend.
The problem had nothing to do with OAuth or JWT, and you might be surprised at how simple the bug actually was.
aaronparecki.com/2020/05/31/…
1
13
3
28
That's true, I noticed I have multiple me.com addresses on my account when I was making the screenshots and forgot to update this text to match. Still, the point is the same.
1
Posted a full writeup with a lot more details: aaronparecki.com/2020/05/31/…
1
I should have replied to that one. It’s barely a logic bug using JWT. I’m writing up more details in a blog post, will post a link shortly.
1
The original post didn’t make this clear, so I’m writing a new post to hopefully better explain the problem. You’ll see that it has nothing to do with OIDC at all. Link coming shortly, I hope.
1
Go read the writeup again. The original post wasn't the clearest explanation of the problem but I also posted some more details in this thread that make it clearer.
1
And? certification wouldn't have caught this bug since it wasn't a problem with the OIDC part of the exchange.
1
Yes! And that is *exactly* why I always advocate for pushing the complexity to the authorization server and keeping the client side simple. Fewer options for clients means fewer ways to mess it up, and there will always be more client developers than AS developers.
2
Yeah it's mainly a technical limitation of the platform we used for publishing it. If you send me a receipt, I'll send you the other format!
Nah this is more a demonstration of why sticking to standards is a good idea, and why building an authorization server isn't a project that should be taken lightly.
2
1