Hacker News: webhamster

New comment by webhamster in "German implementation of eIDAS will require an Apple/Google account to function"

webhamster — Sun, 05 Apr 2026 09:08:58 +0000

German implementer here. We have to use some kind of attestation mechanism per the eIDAS implementing acts. That doesn't work without operating system support.

The initial limitation to Google/Android is not great, we know that, and we have support for other OSs on our list (like, e.g., GrapheneOS). It is simply a matter of where we focus our energy at the moment, not that we don't see the issues.

RFC9700: Best Current Practice for OAuth 2.0 Security

webhamster — Tue, 04 Feb 2025 12:32:02 +0000

Article URL: https://www.rfc-editor.org/rfc/rfc9700.html

Comments URL: https://news.ycombinator.com/item?id=42931507

Points: 2

# Comments: 0

New comment by webhamster in "Why is OAuth still hard in 2023?"

webhamster — Thu, 27 Apr 2023 19:29:47 +0000

For starters, without restrictions on the redirect URI, I (as the attacker) can just redirect a user to the authorization endpoint with a client ID of a trustworthy client, a redirect URI pointing to my server, and a PKCE challenge that I selected so that I know the PKCE verifier. The auth code will end up at my server and I can redeem it, giving me (instead of the trustworthy client) access to the user's resources. If the client is a confidential client, I can use a authorization code injection attack to redeem the code and work with the user's resource.

New comment by webhamster in "Why is OAuth still hard in 2023?"

webhamster — Thu, 27 Apr 2023 07:02:47 +0000

That's not correct. There are a number of attacks that can be mitigated by both, but PKCE serves as a very effective defense in case an authorization code leaks to an attacker. Such a leak can be caused by a malicious script on the redirect URI, referer headers, system or firewall logs, mix-up attacks and other problems even when the redirect URIs are restricted.

There is a good reason why we mandate both redirect URI allowlisting AND PKCE in the OAuth Security BCP RFC draft. One learning from our discovery of mix-up attacks with "code injection" was that client authentication is not sufficient to prevent the misuse of authorization codes.

Selective Disclosure for JWTs (SD-JWT)

webhamster — Tue, 25 Apr 2023 20:38:43 +0000

Article URL: https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-04.html

Comments URL: https://news.ycombinator.com/item?id=35706445

Points: 2

# Comments: 0

Miqro: MQTT Micro-Services for Python

webhamster — Tue, 22 Feb 2022 12:51:44 +0000

Article URL: https://github.com/danielfett/miqro

Comments URL: https://news.ycombinator.com/item?id=30427297

Points: 3

# Comments: 0

Improving OAuth App-to-App Security

webhamster — Mon, 30 Nov 2020 12:05:30 +0000

Article URL: https://danielfett.de/2020/11/27/improving-app2app/

Comments URL: https://news.ycombinator.com/item?id=25252940

Points: 2

# Comments: 0

Finding and Fixing TLS Misconfigurations with TLS Profiler

webhamster — Fri, 22 May 2020 13:56:45 +0000

Article URL: https://danielfett.de/2020/05/22/open-source-tls-scanner/

Comments URL: https://news.ycombinator.com/item?id=23272086

Points: 2

# Comments: 0

OAuth and OpenID Connect: Do PKCE and Nonce Provide the Same Protection?

webhamster — Wed, 20 May 2020 09:56:28 +0000

Article URL: https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/

Comments URL: https://news.ycombinator.com/item?id=23245055

Points: 1

# Comments: 0

Show HN: TLS Profiler – Check your site's TLS against Mozilla's recommendations

webhamster — Thu, 02 Apr 2020 16:38:50 +0000

Article URL: https://tlsprofiler.danielfett.de/

Comments URL: https://news.ycombinator.com/item?id=22760824

Points: 2

# Comments: 0

New comment by webhamster in "JWT is Awesome"

webhamster — Tue, 18 Feb 2020 12:43:09 +0000

Can we finally stop conflating an encoding/signature/encryption method with a transport/storage mechanism?!

New comment by webhamster in "A guide to Oauth2"

webhamster — Mon, 02 Sep 2019 16:17:04 +0000

Quote:

   The resource owner password credentials grant MUST NOT be used.  This
   grant type insecurely exposes the credentials of the resource owner
   to the client.  Even if the client is benign, this results in an
   increased attack surface (credentials can leak in more places than
   just the AS) and users are trained to enter their credentials in
   places other than the AS.

   Furthermore, adapting the resource owner password credentials grant
   to two-factor authentication, authentication with cryptographic
   credentials, and authentication processes that require multiple steps
   can be hard or impossible (WebCrypto, WebAuthn).

New comment by webhamster in "A guide to Oauth2"

webhamster — Mon, 02 Sep 2019 16:15:13 +0000

FYI, the IETF plans to deprecate the Resource Owner Password Credentials Grant you are talking about [1].

[1] https://tools.ietf.org/html/draft-ietf-oauth-security-topics

New comment by webhamster in "Show HN: Hydra – Open-Source OAuth2 Server"

webhamster — Tue, 02 Jul 2019 07:28:51 +0000

There is no issuer in OAuth. Therefore, the distinct-redirect-URI solution is the most universal.

New comment by webhamster in "Show HN: Hydra – Open-Source OAuth2 Server"

webhamster — Tue, 02 Jul 2019 07:28:01 +0000

Also, we now have formal proofs for the security of the OAuth and OIDC protocols.

New comment by webhamster in "Show HN: Hydra – Open-Source OAuth2 Server"

webhamster — Mon, 01 Jul 2019 17:38:17 +0000

Does Hydra follow the OAuth Security BCP (https://tools.ietf.org/html/draft-ietf-oauth-security-topics...)? I do not see PKCE or mix-up mitigation mentioned, for example.

Why you should stop using the OAuth implicit grant

webhamster — Thu, 22 Nov 2018 11:34:03 +0000

Article URL: https://medium.com/@torsten_lodderstedt/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926

Comments URL: https://news.ycombinator.com/item?id=18509362

Points: 2

# Comments: 0