#GitHub Alert hijack attack https://www.bleepingcomputer.com/news/security/fake-security-alert-issues-on-github-use-oauth-app-to-hijack-accounts/
#infosec #dev #webdev #oauth

#Fedi, looking for people with experience in #accessible software.

I have a friend with serious vision issues. Not blind, but can't easily read text that isn't 6+ inches high, and his vision is degrading. He is looking for a way to deal with email -- he's a writer -- because he says Gmail is now a nightmare to use even with a screen reader.

Preferred solution would be a mail program / #MUA that runs on Windows and supports #OAUTH authentication, so he can continue to use his Gmail address.

What's the MUA with the best #accessibility on Windows? Thunderbird brags about its support for screen readers and assistive technologies, so I had him try it, and he says it's almost as bad as Gmail - flashing colours, animating controls. I haven't personally touched Thunderbird in many years, so it was a surprise to me.

I use a text/console mail flow that relies on a local MTA, so nothing I use is of any use in this.

Thanks, appreciate any pointers.

A little rant about e-mail authentication:

https://francisaugusto.com/2025/Email-quo-vadis-or-where-is-oidc-for-everyone/

@mwl I'd love your comment on this!

OAuth security is broken! A domain switch can hijack Google sign-in accounts. This affects your apps and users right now. #security #oauth #infosec https://trufflesecurity.com/blog/millions-at-risk-due-to-google-s-oauth-flaw

blog! “Add a custom icon to Auth0's Custom Social integrations”

This is so fucking stupid.

There is no way to update the logo of a custom social connection on Auth0 without using the command line. On literally every other service I've used, there's a little box to upload a logo. But Okta have a funny idea of what developers want.

And, to make matters…

Read more: https://shkspr.mobi/blog/2024/12/add-a-custom-icon-to-auth0s-custom-social-integrations/
⸻
#Auth0 #HowTo #oauth

blog! “Creating a generic "Log-in with Mastodon" service”

…

Read more: https://shkspr.mobi/blog/2024/12/creating-a-generic-log-in-with-mastodon-service/
⸻
#Auth0 #MastodonAPI #oauth

Has anyone made a good, reliable "log in with your fediverse account" library/service, ideally for node.js, yet?

We got a blog post out summarizing our launch of OAuth for AT Protocol, and what work remains. This has been a huge project, led by Matthieu, with input from a bunch of standards folks and devs.

This tries to solve the same basic challenge that ActivityPub has, and builds on work by @thisismissem and @aaronpk at the IETF (OAuth client metadata documents). Would be great if social web protocols end up aligning on the general shape of a solution and care share code+review.

Say you're building a form that allows a user to login to #Mastodon. First you need their hostname. You want to validate that it's a URL before you allow the form to be submitted, but typing `https://` is kind of a pain in the ass. So you could add an onblur that prepends the protocol if the user hadn't done it themselves.

thoughts?

Need some feedback from people working in #IAM about the co-existence of passkeys and security keys for FIDO2.

How should you handle giving people the option to use security keys for non-resident credentials.

I have read the latest UX best practices proposed by the FIDO alliance, and I will probably go down the route proposed there, I'll offer two buttons "Create passkey" and "Use a security key". They trigger webauthn registration with different parameters, the "use a security key" uses residentKey=discouraged.

It seems like that is similar to what Google and Github do. However, in the aforementioned FIDO best practice the "future state" shows that the FIDO alliance thinks that the "use a security key" button may become obsolete in the future. Why? Is this assuming that browsers will implement better controls where the user can decide whether to create a resident key? Because I don't intend to take away this decision from advanced users who have hardware keys with limited credential storage slots.

Also, what webauthn registration parameters would you use for those two buttons? I am currently doing:

---
Create passkey:
uv=preferred
rk=preferred

Use a security key:
uv=preferred
rk=discouraged
attachment=cross-platform
---

FIDO Best practices mentioned above: https://fidoalliance.org/design-guidelines/patterns/passkey-management-ui-best-practices-for-combining-all-passkey-types/

Is there some kind of framework for #API services that already has everything pre-defined except the actual API? Meaning user management with #2FA, #OAuth client handling, Stripe integration for usage based or flat-rate plans, API usage stats, email notifications, a background jobs running on multiple machines? Preferable in #NodeJS or #Python, but really can be any language as long as the background job can be in any language I want/need because of dependencies. #programming #webdev

FedCM for IndieAuth

https://aaronparecki.com/2024/05/12/3/fedcm-for-indieauth

Are there any known issues with Friendica's OAuth login flow? Or maybe recent breaking changes?

Suddenly getting an "Unprocessable Entity" error without having made any relevant updates to the code.

Whenever I have to write an #oauth login the struggle is never getting it to work. I can always end up with a successful login.

Without fail I will finish, then go check the best practices guide and inevitably find out I messed something up. It’s just crazy for an “easy” protocol to have so many footguns. (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics)

I fundamentally do not think it is wise for the ActivityPub community to be completely reimagining how an existing standard should be implemented, especially in a way that only satisfies the needs of a single client type.

https://codeberg.org/fediverse/fep/src/branch/main/fep/d8c2/fep-d8c2.md

I have a fuller objection to this FEP here: https://socialhub.activitypub.rocks/t/fep-d8c2-oauth-2-0-profile-for-the-activitypub-api/3575/20?u=thisismissem