Replied in thread
@netzpolitik_feed Haben die @EUCommission Kollegen schon mal von #oauth gehört? Ein großer Teil der Anfrage-Verwaltung ist damit technisch schon gelöst.
#oauth
1 post1 participant0 posts today
️ I got #Duende IdentityServer #OAuth working inside an @avaloniaui app. It's pretty easy, thanks to the Duende.IdentityModel package and the browser abstraction. #dotnet
BleepingComputerFake "Security Alert" issues on GitHub use OAuth app to hijack accountsA widespread phishing campaign has targeted nearly 12,000 GitHub repositories with fake "Security Alert" issues, tricking developers into authorizing a malicious OAuth app that grants attackers full control over their accounts and code.
If you had to explain #OAuth2 to a relatively new SWE who only had a bit of experience interacting with public APIs from a frontend UI, are there any specific beginner-friendly online resources you'd recommend to them?
I have now installed and tested Authentik for CoreUnit.NET. So far I am satisfied. Keycloak, dex and other IDP's made me dissatisfied in some steps. As a developer I just dont like the container image taging, please use semver so I can pin major/minor versions.
USSO is a third-party cookie-based SSO (for now), built to work across multiple domains and businesses. It has been in development for over a year by Mahdi Kiani.
Right now, it's written in Python, but a Go rewrite is coming soon. After the rewrite, OAuth, SAML, and other authentication methods will be added.
For now, USSO doesn’t have a frontend to manage all SSO operations, but everything is available through an API.
A couple of microservices also work with USSO:
A global S3-based file manager
UFAAS, a Function-as-a-Service platform, optimized for Iran
UFAAS currently only supports IRT/IRR currencies and integrates with Iranian payment gateways, but accounts can also be manually charged.
A Rust module for USSO has also been released, making it easier to integrate with Rust-based applications. Additionally, I've recently joined the development team.
USSO is planned to be used on Parch Linux, and detailed deployment documentation will be written for all major platforms, including cloud, Docker, Kubernetes, and Jails.
Mahdi Kiani on X: https://x.com/mahdikiani
Project GitHub: https://github.com/ussoio
The File Manager: https://github.com/ufilesorg
FaaS: https://github.com/ufaasio
profile manager based on usso: https://github.com/uprofile
rustcrate: https://crates.io/crates/usso
X (formerly Twitter)مهدی کیانی (@mahdikiani) on Xدر تلاش برای بنده بودن، شوهر، پدر، کمی کارآفرین با زاویه نگاه فنی
At long last, the OAuth working group has finished the Best Current Practice for OAuth 2.0 Security and it was just published as RFC9700! This has been a long time in the works, and I'm very thankful to everyone who has helped out with it over the years!
https://www.rfc-editor.org/rfc/rfc9700.html
This is one of the major inputs to OAuth 2.1, so I'm also very excited to be able to move that forward this year as well!
https://www.rfc-editor.org/rfc/rfc9700.html
This is one of the major inputs to OAuth 2.1, so I'm also very excited to be able to move that forward this year as well!
www.rfc-editor.orgRFC 9700: Best Current Practice for OAuth 2.0 Security
This document describes best current security practice for OAuth 2.0. It updates
and extends the threat model and security advice given in RFCs 6749, 6750, and 6819 to incorporate practical experiences gathered since
OAuth 2.0 was published and covers new threats relevant due to the broader
application of OAuth 2.0. Further, it deprecates some modes of operation that are
deemed less secure or even insecure.
/
/
A little rant about e-mail authentication:
https://francisaugusto.com/2025/Email-quo-vadis-or-where-is-oidc-for-everyone/
@mwl I'd love your comment on this!
francisaugusto.comE-mail authentication, quo vadis? (Or where is OIDC/Oauth2 for everyone?)There’s something rotten in the world of e-mail.
Despite being central to their security, many orgs struggle to securely implement #OAuth. Our new post walks through common issues & how to prevent them, along with a useful checklist! Read it today & ensure your org is secure: https://blog.doyensec.com/2025/01/30/oauth-common-vulnerabilities.html
Langsam wird es auf meiner #GoToSocial Instanz gemütlich 
.
Ich habe gerade eine Sammlung von #NeoCat 
Emojis hochgeladen. Das war gar nicht so einfach, da GTS solch einen Sammel-Upload von #MissKey Emoji Archiven noch nicht unterstützt. Man kann Emojis nur einzeln per API Aufruf hochladen.
Da ich aber ein bisschen #Python kann, war das Problem relativ schnell behoben
**Ich habe zwei Scripte geschrieben:**
- Eines um mich per #OAuth zu authentifizieren um ein Bearer Token für die API Aufrufe zu erhalten.
- Ein weiteres, das die meta.json Datei von MissKey kompatiblem Emoji Archiven auswertet und dann alle Emojis im Archiv einzeln per API Aufruf hochlädt.
**Was habe ich gelernt:**
- Wie MissKey Emoji Archive aufgebaut sind.
- Wie man sich bei GTS per OAuth authentifiziert.
- Wie man Emojis aus MissKey Archiven per GTS API calls hochlädt.
#SelfHosting #GoToSocial #Python #OAuth #CustomEmojis
I don't want to create a new account for every software / server. Where is the #OAuth thing for #ActivityPub?
#Mastodon #PixelFed #Lemmy
BleepingComputerGoogle OAuth flaw lets attackers gain access to abandoned accountsA weakness in Google's OAuth "Sign in with Google" feature could enable attackers that register domains of defunct startups to access sensitive data of former employee accounts linked to various software-as-a-service (SaaS) platforms.
Anybody close their personal Gmail or Outlook, ie Google and Microsoft accounts? They are just spam and I have pretty good success with my private email domain so I'm just tired of all the spam and tracking if I don't use their services. I just need a replacement OAuth server and Authenticator app. #oauth #otp #security #email
SquareX Researchers Expose #OAuth Attack on Chrome Extensions Days Before Major Breach
Hackread - Latest Cybersecurity, Tech, Crypto & Hacking News · SquareX Researchers Expose OAuth Attack on Chrome Extensions Days Before Major BreachPalo Alto, Calif., USA, 30th December 2024, CyberNewsWire
I deem OAUTH^WGoogle (see below) hostile to self-hosting, thanks to the callback URI enforcing it being a TLD.
Mails on my personal front are purely for bills, and other updates. I've been using aerc for a while but I had to switch.
I realized how bad the e-mail client scenario is on Linux now that services demand OAuth2. The majority of clients don't support it so you have to use proxies, and complex 3rd party tools with complex configurations, and mail downloaders. It's crazy.
Maybe, I'm missing something. I just installed Thunderbird after avoiding it.
Add a custom icon to Auth0's Custom Social integrations
https://shkspr.mobi/blog/2024/12/add-a-custom-icon-to-auth0s-custom-social-integrations/
This is so fucking stupid.
There is no way to update the logo of a custom social connection on Auth0 without using the command line. On literally every other service I've used, there's a little box to upload a logo. But Okta have a funny idea of what developers want.
And, to make matters worse, their documentation contains an error! They don't listen to community requests or take bug reports, so I'm blogging in the hope that this is useful to you.
The Command
curl --request PATCH \-H 'Content-Type: application/json' \-H 'Accept: application/json' \-H 'Authorization: Bearer eyJhb...ZEQ' \ --url 'https://whatever.eu.auth0.com/api/v2/connections/con_qwerty123456' \ --data ' ... 'You will also need to supply some JSON in the data parameter. I've formatted it to be easier to read than the garbage documentation. All of these fields are mandatory.
{ "options": { "client_id": "your-app-id", "client_secret": "Shhhhhh!", "icon_url": "https://example.com/image.svg", "scripts": { "fetchUserProfile": "???" }, "authorizationURL": "https://example.com/oauth2/authorize", "tokenURL": "https://example.com/oauth2/token", "scope": "auth" }, "display_name": "Whatever"}OK, but how do you get all those values?
- Bearer token:
- Create a management token
- The only scope it needs is
update:connections
- URl
- This is your normal Auth0 domain name.
- The Connection ID at the end can be found in the dashboard of your social connection
- Client ID & Secret
- You set these in the social connection's dashboard.
icon_url- Public link to an image. It can be an SVG.
fetchUserProfile- Whatever code you want to run. If you don't want any, you can't leave it blank. So type in a couple of characters.
authorizationURLandtokenURL- Wherever you want to redirect users to
display_name- What you want to show to the user
This is such a load of bollocks! Is it really that hard for the Okta team to put an input field with "type the URl of your logo"?
Terence Eden’s Blog · Add a custom icon to Auth0's Custom Social integrations
More from 
Terence Eden
blog! “Add a custom icon to Auth0's Custom Social integrations”
This is so fucking stupid.
There is no way to update the logo of a custom social connection on Auth0 without using the command line. On literally every other service I've used, there's a little box to upload a logo. But Okta have a funny idea of what developers want.
And, to make matters…
⸻
#Auth0 #HowTo #oauth
Terence Eden’s Blog · Add a custom icon to Auth0's Custom Social integrations
More from Terence Eden