Ō̴̡̨͍͕̠̹̘͖͓̭̝̰̖͉̬̫͍̝̰̟͖͖̞͇̟̻̫͇̠̯̋̋̂ͅͅA̷̡̧͎̫̬͖̠͍̼̗̠͊̉̏̓̈́̂̀̈́͆͘͜uth @oktadev oauth.wtf oauth.net 🎥 livestreaming youtube.com/aaronpk aaronpk.tv 💛 #indieweb 🐘🦋
Portland, Oregon
Joined April 2008
- Tweets 11,388
- Following 1,223
- Followers 6,415
- Likes 9,609
But there's a big difference in relying on a specific hash function for something that won't matter a day from now (validating an ID token) vs something that can be correlated years later (hashed identifiers in logs)
1
Relying on sha256 as the end of the story seems like a thing that also won't age well. It's only a matter of time until we see sha256 the way we see md5 today.
1
I actually thought I had already joined, but I haven't yet actually joined a meeting. It's a lot to keep up on with all the other spec work I'm in the middle of 😅
1
I'm actually really interested in this particular problem right now since Sign In with Apple is probably the biggest example of differing IDs per RP yet the first thing the RPs want to do is resolve that back to an identifiable user.
2
1
Oh yeah, that's intentional. It'd be interesting to explore what it could look like otherwise tho.
2
2
Do you mean when there's a viable replacement for DNS? We can cross that bridge when we come to it.
1
There are definitely some similarities since they are both adding an identity layer on top of OAuth. IndieAuth is a much smaller surface area tho and does less stuff. Some more details here: indieweb.org/How_is_IndieAut…
1
1
No, none of it relies on third party cookies thankfully, it's closer to plain OAuth in that sense.
1
Dynamic Client Registration, but afaik no major provider supports this because they *want* RPs to have a pre-established relationship.
We built IndieAuth to avoid the need for any client registration and it works great for that use case: aaronparecki.com/2018/07/07/…
1
2
Follow @wtf_oauth for your daily dose of OAuth humor, which will be funny to approximately 0.0001% of you
1
7
here you are trying to be actually helpful and I've just gone and set up a new parody twitter account @wtf_oauth
now back to work, let me actually read this now 😅
2
I think copy.ai has it out for Khan Academy
"I want to start a company based around making great educational content on truly complex concepts like OAuth. Think Khan Academy but also feel like you're talking with an expert."
1
2
That would very likely get me a better result than feeding this AI 3 sentences and having it come up with comedy gold like this:
"OAuth is like having the Facebook app on your phone, but you are using the same password that you are using for everything else."
2
At the end of the day, OAuth is just a way to communicate between services and users, and as such it's easy to grasp and non-controversial.
OAuth solved a universal problem – signing into a web site – and, in doing so, created a new problem: how does a site know it's really you?
1
4
13
this is so much more fun than writing this CFP:
"At the end of the day, OAuth is just a messaging protocol for communicating between services and users, and as such it's easy to grasp and non-controversial."
2
oh but this sentence it made is gold:
"Developed for internal use at Google, OAuth is an elegant solution to making web services easy to use while keeping your private data private."
1
2
well now I'm trying to describe what I'm trying to write about and realizing that if I could do that well that would be the CFP 😅
1
2