banner
LightNews
aaronpk.com
Aaron Parecki
@aaronpk.com
1.9K followers 130 following 240 posts
#OAuth #IndieWeb
Posts Media Videos Starter Packs
aaronpk.com
Aaron Parecki @aaronpk.com · 21h
👍👍
aaronpk.com
Aaron Parecki @aaronpk.com · 21h
The dots that Solid OIDC connected were to specifically use the RFC7591 vocabulary in a JSON doc at the client ID URL, whereas IndieAuth originally parsed the metadata from HTML, and OpenID Federation nests the metadata inside an "Entity Statement" JSON wrapper.
1
aaronpk.com
Aaron Parecki @aaronpk.com · 21h
I mean it was a big mix of things really. Most recently the JSON document idea came from there, but "client IDs as URLs" has been part of IndieAuth since 2015 web.archive.org/web/20150315... and OpenID Federation since 2016 openid.net/specs/openid...
1 1
aaronpk.com
Aaron Parecki @aaronpk.com · 23h
Yeah I definitely went hard mode by writing everything from scratch (except the JWT signing). Partly because I wanted to see what it actually takes to implement a library, partly because I can't stand the current state of most language's package management 😅
3
aaronpk.com
Aaron Parecki @aaronpk.com · 1d
I just finished adding BlueSky support to IndieLogin.com! Now you can log in to websites like indieweb.org with your BlueSky handle!
Adding Support for BlueSky to IndieLogin.com
Today I just launched support for BlueSky as a new authentication option in IndieLogin.com!
aaronparecki.com
3 19 79
aaronpk.com
Aaron Parecki @aaronpk.com · 1d
The folks at Stytch put together a really nice explainer website about it too! cimd.dev
CIMD - OAuth Client ID Metadata Documents
Learn about Client ID Metadata Documents (CIMD) - a new OAuth approach that lets clients identify themselves using URLs instead of preregistration. Presented by Stytch.
cimd.dev
1 1 8
aaronpk.com
Aaron Parecki @aaronpk.com · 1d
This could replace Dynamic Client Registration in MCP, dramatically simplifying management of clients, as well as enabling servers to limit access to specific clients if they want.
1 1 7
aaronpk.com
Aaron Parecki @aaronpk.com · 1d
The recent surge in interest in MCP has further demonstrated the need for this to be a standardized mechanism, and was the main driver in the latest round of discussion for the document!
1 5
aaronpk.com
Aaron Parecki @aaronpk.com · 1d
The mechanism of clients identifying themselves as a URL has been in use in IndieAuth for over a decade, and more recently has been adopted by BlueSky for their OAuth API.
1 9
aaronpk.com
Aaron Parecki @aaronpk.com · 1d
Clients identify themselves with their own URL, and host their metadata (name, logo, redirect URL) in a JSON document at that URL. They then use that URL as the client_id to introduce themselves to an authorization server for the first time.
1 7
aaronpk.com
Aaron Parecki @aaronpk.com · 1d
The IETF OAuth Working Group has adopted the Client ID Metadata Document specification!

> This specification defines a mechanism through which an OAuth client can identify itself to authorization servers, without prior dynamic client registration or other existing registration.
1 5 47
aaronpk.com
Aaron Parecki @aaronpk.com · 10d
Yes, I helped them with it. They also use the client-id-url technique that came from IndieAuth
1 6
aaronpk.com
Aaron Parecki @aaronpk.com · 22d
Thanks to everyone for your contributions and feedback so far!

And thanks to my co-authors Karl McGuinness and Brian Campbell!
1
aaronpk.com
Aaron Parecki @aaronpk.com · 22d
While it will still be a while before it is an RFC, this is an important step in the standards process, as this is the first time the document is "official"! This signifies that the working group agrees that the problem is worth solving, and agrees on the general direction of the spec.
1 3
aaronpk.com
Aaron Parecki @aaronpk.com · 22d
The IETF OAuth Working Group has adopted the Identity Assertion Authorization Grant specification!

datatracker.ietf.org/doc/draft-ie...

This is the basis of Cross App Access (XAA), providing IT admins better visibility and control by configuring the app-to-app connections in their enterprise IdP.
Identity Assertion Authorization Grant
This specification provides a mechanism for an application to use an identity assertion to obtain an access token for a third-party API by coordinating through a common enterprise identity provider us...
datatracker.ietf.org
1 4 5
aaronpk.com
Aaron Parecki @aaronpk.com · 22d
Inspired by a question from @thisismissem.social, I wrote up a document describing how to apply DPoP (RFC9449) to the OAuth Device Flow (RFC8628).

datatracker.ietf.org/doc/draft-pa...
DPoP for the OAuth 2.0 Device Authorization Grant
The OAuth 2.0 Device Authorization Grant [RFC8628] is an authorization flow for devices with limited input capabilities. Demonstrating Proof of Possession (DPoP) [RFC9449] is a mechanism to sender-con...
datatracker.ietf.org
2
aaronpk.com
Aaron Parecki @aaronpk.com · 22d
Here you go! datatracker.ietf.org/doc/draft-pa...
DPoP for the OAuth 2.0 Device Authorization Grant
The OAuth 2.0 Device Authorization Grant [RFC8628] is an authorization flow for devices with limited input capabilities. Demonstrating Proof of Possession (DPoP) [RFC9449] is a mechanism to sender-con...
datatracker.ietf.org
1 3
aaronpk.com
Aaron Parecki @aaronpk.com · 23d
The only way to get close to a real solution is using proximity solutions like WebAuthn does. There's an extensive discussion on this here: www.ietf.org/archive/id/d...
Cross-Device Flows: Security Best Current Practice
This document describes threats against cross-device flows along with practical mitigations, protocol selection guidance, and a summary of formal analysis results identified as relevant to the securit...
www.ietf.org
1
aaronpk.com
Aaron Parecki @aaronpk.com · 23d
DPoP should have added a section for the device code flow like this section about PAR. datatracker.ietf.org/doc/html/rfc...

The device code flow is similar to PAR: the initial request is backchannel to the AS. So the same considerations that apply to PAR here apply to the device code flow.
RFC 9449: OAuth 2.0 Demonstrating Proof of Possession (DPoP)
This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks wit...
datatracker.ietf.org
1 1
aaronpk.com
Aaron Parecki @aaronpk.com · 23d
I agree DPoP binding should start with the initial request. But at the end of the day it doesn't make *that* much of a difference. The bigger risk with the device code flow is the phishing problem, which DPoP doesn't solve.
2
aaronpk.com
Aaron Parecki @aaronpk.com · Aug 6
Update: it worked! I only had to tap my phone and I got through TSA!
1 7
aaronpk.com
Aaron Parecki @aaronpk.com · Aug 5
It has come to my attention that I have previously loaded my passport into my Android phone as an "ID pass" which should theoretically get me through TSA legitimately
1 2
aaronpk.com
Aaron Parecki @aaronpk.com · Aug 5
It saves the tiniest bit of battery to enable it, and only works with the selected "express transit card" support.apple.com/guide/securi...

But it means you can tap without even unlocking the phone!
Express Cards with power reserve
If iOS isn’t running because iPhone needs to be charged, there may still be enough power in the battery to support Express Card transactions.
support.apple.com
aaronpk.com
Aaron Parecki @aaronpk.com · Aug 5
If they do it like the transit card it'll still work when the phone battery is dead!
1 1
aaronpk.com
Aaron Parecki @aaronpk.com · Aug 5
Maybe some day Oregon will get on the mDL bandwagon and I won't need to rely on this silly piece of plastic anymore
2 2