Ō̴̡̨͍͕̠̹̘͖͓̭̝̰̖͉̬̫͍̝̰̟͖͖̞͇̟̻̫͇̠̯̋̋̂ͅͅA̷̡̧͎̫̬͖̠͍̼̗̠͊̉̏̓̈́̂̀̈́͆͘͜uth @oktadev oauth.wtf oauth.net 🎥 livestreaming youtube.com/aaronpk aaronpk.tv 💛 #indieweb 🐘🦋
Portland, Oregon
Joined April 2008
- Tweets 11,388
- Following 1,223
- Followers 6,415
- Likes 9,609
I should have replied to that one. It’s barely a logic bug using JWT. I’m writing up more details in a blog post, will post a link shortly.
1
The original post didn’t make this clear, so I’m writing a new post to hopefully better explain the problem. You’ll see that it has nothing to do with OIDC at all. Link coming shortly, I hope.
1
Go read the writeup again. The original post wasn't the clearest explanation of the problem but I also posted some more details in this thread that make it clearer.
1
And? certification wouldn't have caught this bug since it wasn't a problem with the OIDC part of the exchange.
1
Yes! And that is *exactly* why I always advocate for pushing the complexity to the authorization server and keeping the client side simple. Fewer options for clients means fewer ways to mess it up, and there will always be more client developers than AS developers.
2
Yeah it's mainly a technical limitation of the platform we used for publishing it. If you send me a receipt, I'll send you the other format!
Nah this is more a demonstration of why sticking to standards is a good idea, and why building an authorization server isn't a project that should be taken lightly.
2
1
Now that I'm writing this out, I realize that the client also sends back the "name" here, intentionally, since the name is user-editable. So I can see how this happened. It's just extremely poor coding practice to essentially also allow the email to be editable here.
2
It's the handler that responds to the "Continue" form post on this screen. Instead of a Boolean, the client sent back the actual email address and the server accepted arbitrary values.
1
Yea, it's just not part of the OAuth API. It's more like bad logic on the internal implementation of the AS.
2
1
If I'm reading it right it's not the token endpoint, it's their internal API for accepting the request that let the user choose which email to share with the app. So it's a form validation problem.
1
Not even 6 months into the 2020s and we've already written off the entire decade 😂😭 is that the point we're at right now
1
This is by far the most thoughtful social media release request I've seen on Twitter. 👏
Hi. First, we're hope you're safe. We have reporters around the city tonight, but we also want to include photos and videos from around the community to ensure we're providing complete coverage. Did you take this video, and can we use it on TV and digital/social media?
6
Aaron Parecki retweeted
Boy you’d think a country that can equip every cop like a soldier could equip every doctor like a doctor
2,004
147,115
3,242
611,947
Aaron Parecki retweeted
why is the active voice used for protestors (“protestors struck a journalist”) but not for police (“a photographer was shot,” “a reporter was hit”)?
Minneapolis: A photographer was shot in the eye.
Washington, D.C.: Protesters struck a journalist with his own microphone.
Louisville: A reporter was hit by a pepper ball on live television by an officer who appeared to be aiming at her. nyti.ms/2ZYDFtv
159
11,915
296
49,680