Aaron Parecki

In two weeks I'll be speaking at the MCP Dev Summit in San Francisco! It's going to be a great day packed with back to back sessions.

In less than a year, the MCP project has quickly reshaped how developers are building AI agents. My talk, "Intro to OAuth for MCP Servers", will cover the basics of the new MCP authorization protocol and set the stage for building secure MCP servers.

https://mcpdevsummit.ai/#agenda

Is it just me or does this current Model Context Protocol wave remind anyone of the early Web 2.0 days of everyone launching open APIs?

In case you missed it, our IPSIE webinar recording is now available! I had a great time chatting with Dean H. Saxe, George Fletcher, Gail Hodges, and Jeff Reich about what IPSIE is, why profiling existing specifications is so important, and the progress the working group has made so far! Thanks for the great conversation!

IPSIE:
Interoperability
Profile for
Secure
Identity in the
Enterprise

https://www.brighttalk.com/webcast/18458/636068

Chase sends 8-digit 2fa SMS codes, which seems excessive compared to the 6 that most other places use, but even weirder is that the first digit of them has always been the same, effectively making it a 7 digit code. Anyone know what's up with that?

At long last, the OAuth working group has finished the Best Current Practice for OAuth 2.0 Security and it was just published as RFC9700! This has been a long time in the works, and I'm very thankful to everyone who has helped out with it over the years!

https://www.rfc-editor.org/rfc/rfc9700.html

This is one of the major inputs to OAuth 2.1, so I'm also very excited to be able to move that forward this year as well!

Congrats to BlueSky for launching OAuth support for apps! 🙌 https://docs.bsky.app/blog/oauth-atproto

Someone broke through the chain link fence last week, in broad daylight, while I was home, and didn't notice at the time.

I started thinking about what I could do about it, and it turns out the EA Unifi cameras have a new webhook feature. So now my cameras send a webhook to Home Assistant when someone crosses a virtual line, and it will trigger the siren. Since this is a line crossing event, not generic person detection, I can leave it armed 24/7, since nobody should be in that area at all.

OAuth for Browser-Based Apps has entered Working Group Last Call! Please share your comments in the next 2 weeks, even if it's just a general voice of support!

https://aaronparecki.com/2024/05/02/5/oauth-browser-based-apps-last-call

This is a good writeup on some sneaky vulnerabilities in OAuth implementations, but ultimately is just a simple access token injection attack: https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts

The deadline to submit drafts ahead of the IETF meeting in November just passed, and I submitted my last one with 30 minutes to spare! Here are all the docs I'll be discussing:

https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html

https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-01.html

https://www.ietf.org/archive/id/draft-parecki-oauth-first-party-apps-00.html

https://www.ietf.org/archive/id/draft-parecki-oauth-metadata-for-nested-flows-00.html