OAuth for the Open Web

aaronparecki.com

Aaron Parecki · Jul 29, 2018 · 4:42 PM UTC

Aaron Parecki @aaronpk

29 Jul 2018

Awesome! I'd love to know what kinds of questions you get after the talk!

Khor · Aug 8, 2018 · 7:03 AM UTC

Khor @neth_6

8 Aug 2018

Got a #IndieAuth question. Since there is no client pre-registration, there is no client secret. Thus during code/access token exchange no client secret is used. Less secure than Authorization Code and more like Implicit perhaps?

Aaron Parecki · Aug 8, 2018 · 1:25 PM UTC

Aaron Parecki · Aug 8, 2018 · 1:25 PM UTC

Aaron Parecki @aaronpk

8 Aug 2018

Replying to @neth_6

Good question! The OAuth Authorization Code flow doesn't require a secret either. For example mobile apps can't use a secret, but still use the Auth Code flow. There are many benefits to the Auth Code flow over Implicit, I wrote some about that here developer.okta.com/blog/2018…

What is the OAuth 2.0 Implicit Grant Type?

The Implicit Grant Type is a way for a single-page JavaScript app to get an access token without an intermediate code exchange step. It was originally created for use by JavaScript apps (which don't...

developer.okta.com

Aug 8, 2018 · 1:25 PM UTC

Khor · Aug 8, 2018 · 2:40 PM UTC

Khor @neth_6

8 Aug 2018

Replying to @aaronpk

The link you shared is for Implicit? Implicit does not use client secret. Does this mean IndieAuth is more similar to Implicit than Auth Code but is more secure as the client id has to be redirect uri?

Aaron Parecki · Aug 8, 2018 · 2:42 PM UTC

Aaron Parecki @aaronpk

8 Aug 2018

Regular OAuth 2.0 also supports the Authorization Code flow with no secret. In fact, many companies recommend Auth Code w/no secret instead of Implicit. IndieAuth is like taking Auth Code w/no secret and adding back some layers of security because of the client ID being a URL.

more replies