The Changelog: Software Development, Open Source

OAuth, "It's complicated." (Interview)

Aug 23, 2021

Aaron Parecki, co-founder of IndieWebCamp and maintainer of OAuth.net, discusses the intricate evolution of OAuth 2.0 to 2.1. He delves into the complexities of Proof Key for Code Exchange (PKCE) and the new Grant Negotiation and Authorization Protocol (GNAP). The conversation highlights how personal data tracking can enhance memory retention and the role of personal websites in the IndieWeb movement. Parecki emphasizes the importance of security in OAuth flows and how simplified authentication can benefit developers and users alike.

Ask episode

AI Snips

Chapters

Books

Transcript

Episode notes

ANECDOTE

Early Tracking

Aaron Parecki has been tracking his location since 2008, initially fascinated by personal data collection.
He even tracked his school commute times as a child using logbooks, predating GPS tracking.

INSIGHT

Tracking Motivation

Aaron's motivation for tracking isn't just self-discovery; it's about creating a personal data archive.
This archive helps him geotag old photos, remember past events, and provide context to his online presence.

ANECDOTE

Passive Tracking

Aaron intentionally avoids letting tracking influence his movements, aiming for passive data collection.
He wants the data to reflect his natural behavior, not a gamified challenge to visit every location.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Today we’re joined by Aaron Parecki, co-founder of IndieWebCamp and maintainer of OAuth.net, for a deep dive on the state of OAuth 2.0 and what’s next in OAuth 2.1. We cover the complications of OAuth, RFCs like Proof Key for Code Exchange, also known as PKCE, OAuth for browser-based apps, and next generation specs like the Grant Negotiation and Authorization Protocol, also known as GNAP. The conversation begins with how Aaron experiements with the IndieWeb as a showcase of what’s possible.

Join the discussion

Changelog++ members save 4 minutes on this episode because they made the ads disappear. Join today!

Sponsors:

Gitpod – Spin up fresh, ephemeral automated dev environments, in the cloud, in seconds. Their free tier is open to every developer with a GitLab, GitHub, and/or Bitbucket account. Learn more at gitpod.io
Retool – Retool is a low-code platform built specifically for developers that makes it fast and easy to build internal tools. Instead of building internal tools from scratch, the world’s best teams, from startups to Fortune 500s, are using Retool to power their internal apps. Learn more and try it for free at retool.com/changelog
Square – Develop on the platform that sellers trust! Use API Explorer to interact with, test, or play with your applications in Square. You can build, view, and send HTTP requests that call Square APIs with API Explorer. Get started with Square, check out the API Explorer, or the API Explorer docs.
Fastly – Our bandwidth partner. Fastly powers fast, secure, and scalable digital experiences. Move beyond your content delivery network to their powerful edge cloud platform. Learn more at fastly.com

Featuring:

Aaron Parecki – Website, GitHub, X
Adam Stacoviak – Website, GitHub, LinkedIn, Mastodon, X
Jerod Santo – GitHub, LinkedIn, Mastodon, X

Show Notes:

IndieWeb.org
IndieWeb Chat
It’s Time for OAuth 2.1
OAuth 2.0
OAuth 2.0 Simplified
GNAP Core Protocol
oktadev.events
GNAP (Grant Negotiation and Authorization Protocol)
PKCE (Proof Key for Code Exchange)
Books about OAuth 2.0
OAuth 2.0 Playground
The Nuts and Bolts of OAuth 2.0
Okta Developer Day - Auth for All - Virtual Event: August 24, 2021
Okta Developer Day Labs - August 25, 2021

Something missing or broken? PRs welcome!