Disqus - Latest Comments for aaronpk

Re: The MCP Authorization Spec Is... a Mess for Enterprise

aaronpk — Thu, 03 Apr 2025 13:12:41 -0000

I mostly agree with your assessment of the problem, but I have a different idea of how this should integrate with enterprise IdPs. I'd love to chat about this though.

Re: Add Authentication to your PHP App in 5 Minutes

aaronpk — Tue, 01 Sep 2020 12:55:59 -0000

You'll need to do two things. First, make sure you request the "profile" and "email" scopes in the request. Then when you get an access token, you can look up the user's profile info at the userinfo endpoint by making a POST request with the access token. Then you'll get back data like this:

{ sub: "00uqi4dbxSUVcAi2X356", name: "Aaron Parecki", locale: "en-US", preferred_username: "***@***.***", given_name: "Aaron", family_name: "Parecki", zoneinfo: "America/Los_Angeles", updated_at: 1594844338 }

Re: What is the OAuth 2.0 Authorization Code Grant Type?

aaronpk — Tue, 01 Sep 2020 12:22:30 -0000

Thanks! We didn't have any sort of organization of the blog posts when this was first posted, but we have tags and author pages now! I made a tag for the posts in this series, but it sounds like you already found the others:

https://developer.okta.com/...

You can also find my other posts here:

https://developer.okta.com/...

Re: Add Secure Authentication to your WordPress Site in 15 Minutes

aaronpk — Mon, 31 Aug 2020 15:45:50 -0000

Yeah we've made quite a few improvements to the plugin since this article was written! The good news is it should be a lot easier to set up now. We don't have an updated guide, but installing the plugin should give you a settings screen in Wordpress which walks you through the required steps! https://github.com/oktadeve...

Re: Use nginx to add Authentication to any Application

aaronpk — Mon, 03 Aug 2020 14:16:25 -0000

Yes, if you need to handle URLs with a query string then you'll have to URL encode that parameter using something like https://github.com/openrest.... This isn't an issue for majority of my deployments.

Re: Use nginx to add Authentication to any Application

aaronpk — Mon, 03 Aug 2020 14:10:59 -0000

The config file format has changed from what is described in this post, so make sure you're following the instructions in the project's readme!

Re: Use PKCE with OAuth 2.0 and Spring Boot for Better Security

aaronpk — Wed, 20 May 2020 12:45:49 -0000

Even though you don't see the PKCE option for "web" apps, you can still actually do PKCE with web apps. It's in the UI for SPA apps because you can choose whether to use PKCE or the deprecated implicit flow for SPA apps.

Re: What is the OAuth 2.0 Authorization Code Grant Type?

aaronpk — Sat, 25 Apr 2020 11:55:52 -0000

I should clarify. This problem doesn't exist when the client can use a client secret. It's only a problem for public clients that don't have a secret. In that case, PKCE solves the problem, and the Implicit flow has that problem and can't be solved.

Re: What is the OAuth 2.0 Authorization Code Grant Type?

aaronpk — Sat, 25 Apr 2020 09:38:22 -0000

Yes you're right, that exact attack is why PKCE exists! PKCE prevents that by requiring the use of an additional secret that the app generates on each request.

Re: Is the OAuth 2.0 Implicit Flow Dead?

aaronpk — Sat, 28 Mar 2020 11:59:41 -0000

The storage problem with JS apps has nothing to do with PKCE. PKCE protects the data sent in the redirect, which is a different attack surface than stored tokens.

Put yourself in the shoes of the authorization server issuing the access token. If you send an access token to the application by sending it in an HTTP redirect, you have no idea whether the application has actually received that access token, or what may have stolen it via the redirect in the process. For example, this browser extension will show you any sites that you log in to that are using the Implicit flow: https://github.com/oktadeve... It turns out that any extensions you have installed could already be siphoning off access tokens without your knowledge.

By using PKCE, the authorization server issues a one-time code in the redirect, and the application has to confirm receipt of it by making the separate POST request for an access token. If someone were able to steal the code from the redirect, they wouldn't be able to use it to get an access token thanks to the PKCE mechanism.

Now, once the app has the access token, whether it got it from the implicit flow or using PKCE, the problem is now how it can store it in a secure way. This problem exists both with the implicit flow and with PKCE, and you're right that it is mostly an unsolved problem with browsers. But, PKCE solves a different, more important problem, so it is useful.

I explain this more in this video: https://www.youtube.com/wat...

Re: Create and Verify JWTs in PHP with OAuth 2.0

aaronpk — Mon, 16 Mar 2020 13:08:35 -0000

I just ran through the code from scratch and it worked fine. Double check that you've defined a secret in the .env file, and that you've copied the code exactly as it is in this post.

Re: Add Authentication to your PHP App in 5 Minutes

aaronpk — Wed, 11 Mar 2020 23:55:59 -0000

Double check that you're starting at localhost and not 127.0.0.1, because while both will run your app, they are considered different domains when the cookie is set so you'll get the state error when you get redirected back to the other. Also make sure your browser isn't blocking cookies.

Re: Add Secure Authentication to your WordPress Site in 15 Minutes

aaronpk — Thu, 27 Feb 2020 10:19:35 -0000

Yes you’re correct on both counts. It’s generally better to redirect users over to the authorization server so they’re only entering their password in one place. This demo is what you could do if you want to just swap out the Wordpress user management with Okta’s, not necessarily using it for single-sign-on, just changing how login works for the one Wordpress site.

Re: Build a Simple REST API in PHP

aaronpk — Sat, 08 Feb 2020 19:25:00 -0000

I don't know what a .env.app file is, but the .env.example file is just a text file, and it has to be copied to .env once you fill out the values.

Re: Build a Simple Laravel App with Authentication

aaronpk — Thu, 23 Jan 2020 17:18:40 -0000

It's not scheduled on our calendar yet so I would say you shouldn't wait for us. If you do figure it out, please post any notes as a new comment here so others can find it too!

Re: Build a Simple Laravel App with Authentication

aaronpk — Thu, 23 Jan 2020 17:15:34 -0000

This blog post is written for Laravel 5. We will hopefully be able to publish an updated tutorial for Laravel 6 in the future.

Re: Add Authentication to your PHP App in 5 Minutes

aaronpk — Mon, 20 Jan 2020 10:02:34 -0000

It sounds like a root certificate issue so double check your list of roots is up to date, and make sure the system isn't treating the certificate as untrusted. You should be able to visit the metadata URL in a browser on that machine to verify the root certificate is trusted. If that works then you'll need to make sure PHP is configured to use the system's root cert list too.

Re: Add Authentication to your PHP App in 5 Minutes

aaronpk — Sun, 19 Jan 2020 10:48:18 -0000

Glad you found a more specific error! Okta has SSL configured properly, so it's likely that your system doesn't have the expected root certificate. Given that you mentioned this is running PHP 5.6 I'm guessing the entire system is pretty out of date. Try to see if you can update the system's root certificate list or just run system updates in general.

Re: Add Authentication to your PHP App in 5 Minutes

aaronpk — Thu, 16 Jan 2020 16:20:25 -0000

PHP 5.6 has been officially at end-of-life for over a year now, so it's really not a good idea to be running that version anymore. https://www.php.net/support...

In any case, it sounds like what's happening is it's failing to fetch the metadata, so $metadata is not an object. Double check that you've got the correct metadata URL in your code. You can visit the URL in your browser and you should see a bunch of JSON data. If that's correct, then check why the curl call to fetch that might be failing.

Re: What the Heck is OAuth?

aaronpk — Thu, 16 Jan 2020 16:16:12 -0000

Access tokens can be revoked at the authorization server, but if your APIs are only doing local token validation then they won't ever know that the token has been revoked. One of our recent blog posts has a demo of this: https://developer.okta.com/...

Re: Add Secure Authentication to your WordPress Site in 15 Minutes

aaronpk — Tue, 07 Jan 2020 14:50:32 -0000

Our team doesn't have the resources to support a production-ready product, but that said, the plugin should still work in an Okta production environment. Depending on your Okta account you might need to change the authorization server URL and such, but it should still work. If that's not the case, please file an issue on the GitHub repo with more details and we'll see what we can do.

Re: Implement the OAuth 2.0 Authorization Code with PKCE Flow

aaronpk — Mon, 06 Jan 2020 18:52:06 -0000

oops I mean code_challenge and code_verifier! Maybe they should have called them pkce_* instead tho cause I keep mistyping that!

Re: Implement the OAuth 2.0 Authorization Code with PKCE Flow

aaronpk — Tue, 03 Dec 2019 18:27:14 -0000

I don't know if the libraries support it, but the server supports it directly anyway.

Re: Implement the OAuth 2.0 Authorization Code with PKCE Flow

aaronpk — Tue, 03 Dec 2019 17:37:44 -0000

You can do PKCE with a regular web app too in Okta, it just doesn't show up as an option to require it in the admin UI. Try starting an OAuth flow with a pkce_challenge in the authorization request, and you'll see that the pkce_verifier parameter is needed on the token request.

Re: Implement the OAuth 2.0 Authorization Code with PKCE Flow

aaronpk — Thu, 07 Nov 2019 12:02:13 -0000

Yes! Here's a post that describes how to do it in plain Javascript, no libraries required. https://developer.okta.com/...