#OAuth

If you're wondering what these documents look like, here's an example:
https://cimd-service.fly.dev/clients/bafyreidxk6lscepiy3lxtev7jag67s2taiyhk3gwazfd4khivaejsfyipq

#oauth

Built a little thing over the past ~20 hours:

A service for provisioning public Client ID Metadata Documents for use in development environments where you aren't publicly on the web.

https://cimd-service.fly.dev/

#oauth

Okay, so, I finally built that OAuth Client ID Metadata Service that I've been talking about on an off, and also verified it works with bluesky: cimd-service.fly.dev I did have to change my application_type to native to use localhost redirect URIs, which was annoying. #oauth #atproto

https://cimd-service.fly.dev/

I wouldn’t say this is 100% accurate but enjoy it for what it is.. a nerdy concept explained with meme cats. 🐱

#Caturday #oauth

I wouldn’t say this is 100% accurate but enjoy it for what it is.. a nerdy concept explained with meme cats. 🐱

#Caturday #oauth

I wouldn’t say this is 100% accurate but enjoy it for what it is.. a nerdy concept explained with meme cats. 🐱

#Caturday #oauth

I wouldn’t say this is 100% accurate but enjoy it for what it is.. a nerdy concept explained with meme cats. 🐱

#Caturday #oauth

Just had a moment of realization: even if the code compiles, it doesn't mean there aren't hallucinations lurking within.

My gen-ai agent added a URL parameter that doesn’t even exist in the OAuth spec.

Everything seemed correct, but it turned out to be just a mock.

#Coding #AI #OAuth

Oauth working for Kubernetes authentication and authorization.

Very satisfying, if fiddly.

#HomeLab #Kubernetes #k8s #Oauth

Cool blog spotto

https://blog.stonegarden.dev/

#Kubernetes #OIDC #Oauth #k8s #Proxmox #Talos #TalosLinux #ArgoCD

#Hollo 0.6.0 is coming soon!

We're putting the finishing touches on our biggest security and feature update yet. Here's what's coming:

Enhanced #OAuth #security

• RFC 8414 (OAuth metadata discovery)
• RFC 7636 (#PKCE support)
• Improved authorization flows following RFC 9700 best practices

New features

• Extended character limit (4K → 10K)
• Code syntax highlighting
• Customizable profile themes
• EXIF metadata stripping for privacy

Important notes for update

• Node.js 24+ required
• Updated environment variables for asset storage
• Stronger SECRET_KEY requirements (44+ chars)

Special thanks to @thisismissem for the extensive OAuth improvements that help keep the #fediverse secure and compatible! 🙏

Full changelog and upgrade guide coming with the release.

#ActivityPub

#Hollo 0.6.0 is coming soon!

We're putting the finishing touches on our biggest security and feature update yet. Here's what's coming:

Enhanced #OAuth #security

• RFC 8414 (OAuth metadata discovery)
• RFC 7636 (#PKCE support)
• Improved authorization flows following RFC 9700 best practices

New features

• Extended character limit (4K → 10K)
• Code syntax highlighting
• Customizable profile themes
• EXIF metadata stripping for privacy

Important notes for update

• Node.js 24+ required
• Updated environment variables for asset storage
• Stronger SECRET_KEY requirements (44+ chars)

Special thanks to @thisismissem for the extensive OAuth improvements that help keep the #fediverse secure and compatible! 🙏

Full changelog and upgrade guide coming with the release.

#ActivityPub

#Hollo 0.6.0 is coming soon!

We're putting the finishing touches on our biggest security and feature update yet. Here's what's coming:

Enhanced #OAuth #security

• RFC 8414 (OAuth metadata discovery)
• RFC 7636 (#PKCE support)
• Improved authorization flows following RFC 9700 best practices

New features

• Extended character limit (4K → 10K)
• Code syntax highlighting
• Customizable profile themes
• EXIF metadata stripping for privacy

Important notes for update

• Node.js 24+ required
• Updated environment variables for asset storage
• Stronger SECRET_KEY requirements (44+ chars)

Special thanks to @thisismissem for the extensive OAuth improvements that help keep the #fediverse secure and compatible! 🙏

Full changelog and upgrade guide coming with the release.

#ActivityPub

#Hollo 0.6.0 is coming soon!

We're putting the finishing touches on our biggest security and feature update yet. Here's what's coming:

Enhanced #OAuth #security

• RFC 8414 (OAuth metadata discovery)
• RFC 7636 (#PKCE support)
• Improved authorization flows following RFC 9700 best practices

New features

• Extended character limit (4K → 10K)
• Code syntax highlighting
• Customizable profile themes
• EXIF metadata stripping for privacy

Important notes for update

• Node.js 24+ required
• Updated environment variables for asset storage
• Stronger SECRET_KEY requirements (44+ chars)

Special thanks to @thisismissem for the extensive OAuth improvements that help keep the #fediverse secure and compatible! 🙏

Full changelog and upgrade guide coming with the release.

#ActivityPub

#Hollo 0.6.0 is coming soon!

We're putting the finishing touches on our biggest security and feature update yet. Here's what's coming:

Enhanced #OAuth #security

• RFC 8414 (OAuth metadata discovery)
• RFC 7636 (#PKCE support)
• Improved authorization flows following RFC 9700 best practices

New features

• Extended character limit (4K → 10K)
• Code syntax highlighting
• Customizable profile themes
• EXIF metadata stripping for privacy

Important notes for update

• Node.js 24+ required
• Updated environment variables for asset storage
• Stronger SECRET_KEY requirements (44+ chars)

Special thanks to @thisismissem for the extensive OAuth improvements that help keep the #fediverse secure and compatible! 🙏

Full changelog and upgrade guide coming with the release.

#ActivityPub

#Hollo 0.6.0 is coming soon!

We're putting the finishing touches on our biggest security and feature update yet. Here's what's coming:

Enhanced #OAuth #security

• RFC 8414 (OAuth metadata discovery)
• RFC 7636 (#PKCE support)
• Improved authorization flows following RFC 9700 best practices

New features

• Extended character limit (4K → 10K)
• Code syntax highlighting
• Customizable profile themes
• EXIF metadata stripping for privacy

Important notes for update

• Node.js 24+ required
• Updated environment variables for asset storage
• Stronger SECRET_KEY requirements (44+ chars)

Special thanks to @thisismissem for the extensive OAuth improvements that help keep the #fediverse secure and compatible! 🙏

Full changelog and upgrade guide coming with the release.

#ActivityPub

#Hollo 0.6.0 is coming soon!

We're putting the finishing touches on our biggest security and feature update yet. Here's what's coming:

Enhanced #OAuth #security

• RFC 8414 (OAuth metadata discovery)
• RFC 7636 (#PKCE support)
• Improved authorization flows following RFC 9700 best practices

New features

• Extended character limit (4K → 10K)
• Code syntax highlighting
• Customizable profile themes
• EXIF metadata stripping for privacy

Important notes for update

• Node.js 24+ required
• Updated environment variables for asset storage
• Stronger SECRET_KEY requirements (44+ chars)

Special thanks to @thisismissem for the extensive OAuth improvements that help keep the #fediverse secure and compatible! 🙏

Full changelog and upgrade guide coming with the release.

#ActivityPub

#Hollo 0.6.0 is coming soon!

We're putting the finishing touches on our biggest security and feature update yet. Here's what's coming:

Enhanced #OAuth #security

• RFC 8414 (OAuth metadata discovery)
• RFC 7636 (#PKCE support)
• Improved authorization flows following RFC 9700 best practices

New features

• Extended character limit (4K → 10K)
• Code syntax highlighting
• Customizable profile themes
• EXIF metadata stripping for privacy

Important notes for update

• Node.js 24+ required
• Updated environment variables for asset storage
• Stronger SECRET_KEY requirements (44+ chars)

Special thanks to @thisismissem for the extensive OAuth improvements that help keep the #fediverse secure and compatible! 🙏

Full changelog and upgrade guide coming with the release.

#ActivityPub

#Hollo 0.6.0 is coming soon!

We're putting the finishing touches on our biggest security and feature update yet. Here's what's coming:

Enhanced #OAuth #security

• RFC 8414 (OAuth metadata discovery)
• RFC 7636 (#PKCE support)
• Improved authorization flows following RFC 9700 best practices

New features

• Extended character limit (4K → 10K)
• Code syntax highlighting
• Customizable profile themes
• EXIF metadata stripping for privacy

Important notes for update

• Node.js 24+ required
• Updated environment variables for asset storage
• Stronger SECRET_KEY requirements (44+ chars)

Special thanks to @thisismissem for the extensive OAuth improvements that help keep the #fediverse secure and compatible! 🙏

Full changelog and upgrade guide coming with the release.

#ActivityPub

#Hollo 0.6.0 is coming soon!

We're putting the finishing touches on our biggest security and feature update yet. Here's what's coming:

Enhanced #OAuth #security

• RFC 8414 (OAuth metadata discovery)
• RFC 7636 (#PKCE support)
• Improved authorization flows following RFC 9700 best practices

New features

• Extended character limit (4K → 10K)
• Code syntax highlighting
• Customizable profile themes
• EXIF metadata stripping for privacy

Important notes for update

• Node.js 24+ required
• Updated environment variables for asset storage
• Stronger SECRET_KEY requirements (44+ chars)

Special thanks to @thisismissem for the extensive OAuth improvements that help keep the #fediverse secure and compatible! 🙏

Full changelog and upgrade guide coming with the release.

#ActivityPub

#Hollo 0.6.0 is coming soon!

We're putting the finishing touches on our biggest security and feature update yet. Here's what's coming:

Enhanced #OAuth #security

• RFC 8414 (OAuth metadata discovery)
• RFC 7636 (#PKCE support)
• Improved authorization flows following RFC 9700 best practices

New features

• Extended character limit (4K → 10K)
• Code syntax highlighting
• Customizable profile themes
• EXIF metadata stripping for privacy

Important notes for update

• Node.js 24+ required
• Updated environment variables for asset storage
• Stronger SECRET_KEY requirements (44+ chars)

Special thanks to @thisismissem for the extensive OAuth improvements that help keep the #fediverse secure and compatible! 🙏

Full changelog and upgrade guide coming with the release.

#ActivityPub

#Hollo 0.6.0 is coming soon!

We're putting the finishing touches on our biggest security and feature update yet. Here's what's coming:

Enhanced #OAuth #security

• RFC 8414 (OAuth metadata discovery)
• RFC 7636 (#PKCE support)
• Improved authorization flows following RFC 9700 best practices

New features

• Extended character limit (4K → 10K)
• Code syntax highlighting
• Customizable profile themes
• EXIF metadata stripping for privacy

Important notes for update

• Node.js 24+ required
• Updated environment variables for asset storage
• Stronger SECRET_KEY requirements (44+ chars)

Special thanks to @thisismissem for the extensive OAuth improvements that help keep the #fediverse secure and compatible! 🙏

Full changelog and upgrade guide coming with the release.

#ActivityPub

#Hollo 0.6.0 is coming soon!

We're putting the finishing touches on our biggest security and feature update yet. Here's what's coming:

Enhanced #OAuth #security

• RFC 8414 (OAuth metadata discovery)
• RFC 7636 (#PKCE support)
• Improved authorization flows following RFC 9700 best practices

New features

• Extended character limit (4K → 10K)
• Code syntax highlighting
• Customizable profile themes
• EXIF metadata stripping for privacy

Important notes for update

• Node.js 24+ required
• Updated environment variables for asset storage
• Stronger SECRET_KEY requirements (44+ chars)

Special thanks to @thisismissem for the extensive OAuth improvements that help keep the #fediverse secure and compatible! 🙏

Full changelog and upgrade guide coming with the release.

#ActivityPub

Spent the past hour doing some updates to the Client ID Metadata Documents internet draft. Trying to find alignment with the Client ID Prefix internet draft and fix a few open issues. #ietf #oauth

Spent the past hour doing some updates to the Client ID Metadata Documents internet draft. Trying to find alignment with the Client ID Prefix internet draft and fix a few open issues. #ietf #oauth

Mixing up Public and Private Keys in OpenID Connect deployments - Hanno's Blog:

https://blog.hboeck.de/archives/909-Mixing-up-Public-and-Private-Keys-in-OpenID-Connect-deployments.html

#oauth #openid #security

I don't want to create a new account for every software / server. Where is the #OAuth thing for #ActivityPub?

#Mastodon #PixelFed #Lemmy

Vulnerability in Google’s OAuth System exposes millions to risk

Researchers warn that unused domains could grant unauthorised access to sensitive SaaS accounts

https://www.computing.co.uk/news/2025/security/vulnerability-in-google-oauth-system-exposes-millions-to-risk

#google #oauth #infosec #cybersecurity

OAuth 2.0の認可エンドポイントにおける脆弱な実装例と対策について考える
https://qiita.com/task4233/items/3af1b3d2690b44979659?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items

#qiita #Security #OAuth #OAuth2_0

【Go言語】Goで学ぶOAuth認証
https://qiita.com/fujifuji1414/items/98af4c0529430f112209?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items

#qiita #Go #OAuth #認証 #OAuth2_0 #初学者向け

Amplify Gen2 (Vue) で画像管理機能のベースを作る
https://qiita.com/onoshima/items/7431ee1961d71b4d5c9d?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items

#qiita #AWS #OAuth #Vue_js #SRE #amplify

Has anyone made a good, reliable "log in with your fediverse account" library/service, ideally for node.js, yet?

#fediverse #oauth #nodejs #opensource

We got a blog post out summarizing our launch of OAuth for AT Protocol, and what work remains. This has been a huge project, led by Matthieu, with input from a bunch of standards folks and devs.

This tries to solve the same basic challenge that ActivityPub has, and builds on work by @thisismissem and @aaronpk at the IETF (OAuth client metadata documents). Would be great if social web protocols end up aligning on the general shape of a solution and care share code+review.

#oauth #ietf

Gosh this PKCE stuff goes back to 2020.

Reads:
- Dropbox: https://dropbox.tech/developers/pkce--what-and-why-
- Postman: https://blog.postman.com/pkce-oauth-how-to/
- Mastodon OAuth PKCE extension PR: https://github.com/mastodon/mastodon/pull/31129
- Mastodon OAuth documentation PR: https://github.com/mastodon/documentation/pull/1445

#OAuth

Welcome to my new followers. I have taken possession of your souls, for which I am eternally grateful.

By way of #introduction, here are a few things that I am sometimes known for:

• I wrote the book API Security in Action published by Manning. It covers a lot about modern application security, JWTs, OAuth, Kubernetes, and is secretly a tutorial on cryptography in disguise.

• I discovered the “Psychic Signatures” critical vulnerability in Java’s implementation of ECDSA signature verification (CVE-2022-21449).

• My blog has made its way onto Hacker News a few times.

• I’m fairly active in the #OAuth working group at the IETF. I used to be the Security Architect for ForgeRock (now part of Ping Identity).

In my past I have mostly been a software engineer. I also have a PhD in computer science, for what it’s worth, but only my bank calls me Dr and my daughter thinks I’m lying about that.

These days I run a company, Illuminated Security, that provides AppSec and Applied Cryptography consultancy, review, bespoke development, and training. I’m always happy to answer emails (eventually!) on most topics.