Merge branch 'main' of github.com:aaronpk/oauth.net

data/code/elixir.yml

@@ -6,6 +6,6 @@ server_libraries:
 - '<a href="https://github.com/danschultzer/ex_oauth2_provider">Elixir OAuth2 Server</a>:
  The no-brainer library to use for adding OAuth 2.0 provider capabilities to your
  Elixir app.'
-- '<a href="https://gitlab.com/patatoid/boruta_auth">Borutar</a>:
+- '<a href="https://github.com/malach-it/boruta-server">Boruta</a>:
  OAuth / OpenID Connect provider core for Elixir.'
 ...

data/code/javascript.yml

@@ -1,10 +1,13 @@
 ---
 name: JavaScript
 client_libraries:
-- "<a href=\"https://github.com/panva/oauth4webapi\">oauth4webapi</a>. OpenID
+- "<a href=\"https://github.com/badgateway/oauth2-client\">@badgateway/oauth2-client</a>. 0-dependencies, Typescript support for browsers and Node."
+- "<a href=\"https://github.com/panva/oauth4webapi\">@panva/oauth4webapi</a>. OpenID
  Certified\u2122 OAuth 2 / OpenID Connect for Web Platform API JavaScript runtimes"
 - <a href="http://github.com/andreassolberg/jso">Javascript</a>
-- <a href="https://github.com/zalando/oauth2-client-js">OAuth2-client-js</a>
 - <a href="https://github.com/jaredhanson/passport-oauth2">Passport</a>
 - <a href="https://github.com/salte-io/salte-auth">Salte Auth</a>
+- <a href="https://github.com/authts/oidc-client-ts">oidc-client-ts</a>. Library to
+ provide OpenID Connect and OAuth2 protocol support for client-side, browser-based
+ JavaScript client applications.
 ...

data/code/nodejs.yml

@@ -8,7 +8,6 @@ client_libraries:
 - <a href="https://github.com/simov/grant">Grant</a> 200+ OAuth providers for Express,
  Koa, Hapi, Fastify, AWS Lambda, Azure, Google Cloud, Vercel
 - <a href="http://passportjs.org/">PassportJS</a>
-- <a href="https://github.com/zalando/oauth2-client-js">OAuth2-client-js</a>
 server_libraries:
 - "<a href=\"https://github.com/panva/node-oidc-provider\">oidc-provider</a>. OpenID
  Certified\u2122 Provider implementation for Node.js"
@@ -17,4 +16,7 @@ server_libraries:
  Identity Provider system developed to support Firefox Marketplace and other services
 - '<a href="https://github.com/jaredhanson/oauth2orize">OAuth2orize: toolkit to implement
  OAuth2 Authorization Servers</a>'
+- <a href="https://github.com/authts/oidc-client-ts">oidc-client-ts</a>. Library to
+ provide OpenID Connect and OAuth2 protocol support for client-side, browser-based
+ JavaScript client applications.
 ...

data/code/python.yml

@@ -19,4 +19,6 @@ client_libraries:
  for Flask and Django.</a>
 - <a href="https://github.com/requests/requests-oauthlib">Requests-OAuthlib</a> has
  OAuth library support for <a href="http://python-requests.org">Python Requests</a>.</a>
+- <a href="https://github.com/mozilla/mozilla-django-oidc">mozilla-django-oidc</a> is
+ a lightweight Django authentication and access management library for integration with OpenID Connect enabled authentication services.
 ...

includes/_header.php

@@ -20,16 +20,7 @@ function e($t) { return htmlspecialchars($t); }
 </div>
 
 <?php if($_SERVER['SERVER_NAME'] == 'oauth.net'): ?>
-<script>
-(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
-(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
-m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
-})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
-
-ga('create', 'UA-4617305-25', 'auto');
-ga('send', 'pageview');
-</script>
-<script src="https://emu.pin13.net/script.js" site="KKZQTOOD" defer></script>
+<script src="https://cdn.usefathom.com/script.js" site="KKZQTOOD" defer></script>
 <script>
 var trackOutboundClick = function(url, code) {
  ga('send', 'event', 'outbound', 'click', url, {

includes/_nav_primary.php

@@ -11,9 +11,10 @@
  <li class="nav-item"><a class="nav-link" href="/code/">Code</a></li>
  <li class="nav-item"><a class="nav-link" href="/articles/">Articles</a></li>
  <li class="nav-item"><a class="nav-link" href="/videos/">Videos</a></li>
- <li class="nav-item"><a class="nav-link" href="/events/">Events</a></li>
+ <li class="nav-item"><a class="nav-link" href="https://events.oauth.net/">Events</a></li>
  <li class="nav-item"><a class="nav-link" href="/books/">Books</a></li>
  <li class="nav-item"><a class="nav-link" href="/security/">Security</a></li>
+ <li class="nav-item"><a class="nav-link" href="https://shop.oauth.net/">Merch</a></li>
  <li class="nav-item"><a class="nav-link" href="/about/credits/">About</a></li>
  </ul>
  </div>

public/2/client-authentication/index.php

@@ -27,7 +27,8 @@
  <li><a href="/2/mtls/">Mutual TLS</a> (RFC 8705)</li>
  <li><a href="/private-key-jwt/">Private Key JWT</a> (RFC 7521, RFC 7521, OpenID)</li>
  </ul>
-
+ <p>Note: <a href="/2/pkce/">PKCE</a> is not a form of client authentication, and is not an alternative to client authentication. Applications using client authentication should also use PKCE.</p>
+
  <p>More resources
  <ul>
  <li><a href="https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/">Client Credentials</a> (oauth.com)</li>

public/2/device-flow/index.php

@@ -25,7 +25,7 @@
  <ul>
  <li><a href="https://www.oauth.com/oauth2-servers/device-flow/">Device Flow</a> (oauth.com)</li>
  <li><a href="https://developer.okta.com/blog/2019/02/19/add-oauth-device-flow-to-any-server">Add the OAuth 2.0 Device Flow to any OAuth Server</a> (by Aaron Parecki)</li>
- <li><a href="https://alexbilbie.com/2016/04/oauth-2-device-flow-grant/">OAuth 2.0 Device Flow Grant</a> (alexbilbie.com)</li>
+ <li><a href="https://alexbilbie.github.io/2016/04/oauth-2-device-flow-grant/">OAuth 2.0 Device Flow Grant</a> (alexbilbie.github.io)</li>
  <li><a href="https://github.com/aaronpk/Device-Flow-Proxy-Server">A proxy server that implements the Device Flow to an existing OAuth server</a> (github.com)</li>
  </ul>
  </p>

public/2/dpop/index.php

@@ -1,25 +1,24 @@
 <?php
-$page_title = "OAuth 2.0 DPoP - Demonstration of Proof of Possession";
+$page_title = "OAuth 2.0 DPoP - Demonstrating Proof of Possession at the Application Layer";
 $page_section = "";
 $page_secondary = "";
-$page_meta_description = "OAuth 2.0 DPoP - Demonstration of Proof of Possession at the Application Layer";
+$page_meta_description = "OAuth 2.0 DPoP - Demonstrating Proof of Possession at the Application Layer";
 require('../../../includes/_header.php');
 ?>
 <div class="container">
  <nav aria-label="breadcrumb">
  <ol class="breadcrumb">
  <li class="breadcrumb-item"><a href="/2/">OAuth 2.0</a></li>
- <li class="breadcrumb-item active">DPoP - Demonstration of Proof of Possession</li>
+ <li class="breadcrumb-item active">DPoP - Demonstrating Proof of Possession at the Application Layer</li>
  </ol>
  </nav>
  <div>
 
- <h2>Draft: OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)</h2>
+ <h2>Draft: OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)</h2>
 
  <p><a href="https://tools.ietf.org/html/draft-ietf-oauth-dpop" class="rfc">tools.ietf.org/html/draft-ietf-oauth-dpop</a></p>
 
- <p><a href="https://tools.ietf.org/html/draft-ietf-oauth-dpop">DPoP</a>, or Demonstration of Proof of Possession, is an extension that describes a technique to cryptographically bind access tokens to a particular client when they are issued. This is one of many attempts at improving the security of <a href="/2/bearer-tokens/">Bearer Tokens</a> by requiring the application using the token to authenticate itself.</p>
- <p>This draft is still in progress, and is open to feedback from people who are interested in using it!</p>
+ <p><a href="https://tools.ietf.org/html/draft-ietf-oauth-dpop">DPoP</a>, or Demonstrating Proof of Possession, is an extension that describes a technique to cryptographically bind access tokens to a particular client when they are issued. This is one of many attempts at improving the security of <a href="/2/bearer-tokens/">Bearer Tokens</a> by requiring the application using the token to prove possession of the same private key that was used to obtain the token.</p>
 
  <p>See Also:</p>
  <ul>

public/2/grant-types/device-code/index.php

@@ -27,7 +27,7 @@
  <p>More resources
  <ul>
  <li><a href="https://www.oauth.com/oauth2-servers/device-flow/token-request/">Device Flow Token Request</a> (oauth.com)</li>
- <li><a href="https://alexbilbie.com/2016/04/oauth-2-device-flow-grant/">Device Flow</a> (alexbilbie.com)</li>
+ <li><a href="https://alexbilbie.github.io/2016/04/oauth-2-device-flow-grant/">Device Flow</a> (alexbilbie.github.io)</li>
  <li><a href="https://www.oauth.com/playground/device-code.html">Device Code Grant on the OAuth 2.0 Playground</a></li>
  </ul>
  </p>

public/2/grant-types/index.php

@@ -33,7 +33,7 @@
  <ul>
  <li><a href="https://www.udemy.com/course/oauth-2-simplified/?referralCode=B04F59AED67B8DA74FA7">The Nuts and Bolts of OAuth</a> (Video Course) - Aaron Parecki</li>
  <li><a href="https://aaronparecki.com/oauth-2-simplified/#authorization">Grant Types</a> (aaronparecki.com)</li>
- <li><a href="https://alexbilbie.com/guide-to-oauth-2-grants/">A Guide to OAuth 2.0 Grants</a> (alexbilbie.com)</li>
+ <li><a href="https://alexbilbie.github.io/guide-to-oauth-2-grants/">A Guide to OAuth 2.0 Grants</a> (alexbilbie.github.io)</li>
  </ul>
  </p>
 

public/2/index.php

@@ -110,7 +110,6 @@
  <h3>Experimental and Draft Specs</h3>
  <p>The specs below are either experimental or in draft status and are still active working group items. They will likely change before they are finalized as RFCs or BCPs.</p>
  <ul>
- <li><a href="/2/rich-authorization-requests/">Rich Authorization Requests (RAR)</a></li>
  <li><a href="https://tools.ietf.org/html/draft-ietf-oauth-incremental-authz">Incremental Authorization</a></li>
  <li><a href="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-step-up-authn-challenge">Step-up Authentication Challenge</a></li>
  <li><a href="/specs/">All OAuth Working Group Documents</a></li>
@@ -123,6 +122,7 @@
  <li><a href="http://tools.ietf.org/html/rfc7522">SAML2 Bearer Assertion</a> - RFC 7522, for integrating with existing identity systems</li>
  <li><a href="http://tools.ietf.org/html/rfc7523">JWT Bearer Assertion</a> - RFC 7523</li>
  <li><a href="http://tools.ietf.org/html/rfc9207">Authorization Server Issuer Identification</a> - RFC 9207, indicates the authorization server identifier in the authorization response</li>
+ <li><a href="/2/rich-authorization-requests/">Rich Authorization Requests (RAR)</a> - RFC 9396</li>
  </ul>
 
  <h3>Related Work from Other Communities</h3>

public/2/pkce/index.php

@@ -19,9 +19,9 @@
  <p><a href="http://tools.ietf.org/html/rfc7636" class="rfc">tools.ietf.org/html/rfc7636</a></p>
 
  <p>PKCE (<a href="http://tools.ietf.org/html/rfc7636">RFC 7636</a>) is an extension to the <a href="/2/grant-types/authorization-code/">Authorization Code flow</a> to prevent CSRF and authorization code injection attacks.</p>
- <p>PKCE is <em>not</em> a replacement for a client secret, and PKCE is recommended even if a client is using a client secret.</p>
+ <p>PKCE is <em>not</em> a form of client authentication, and PKCE is <em>not</em> a replacement for a client secret or other client authentication. PKCE is recommended even if a client is using a client secret or other form of <a href="/2/client-authentication/">client authentication</a> like private_key_jwt.</p>
  <p>Note: Because PKCE is not a replacement for client authentication, it does <em>not</em> allow treating a public client as a confidential client.</p>
- <p>PKCE was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web apps that use a client secret.</p>
+ <p>PKCE was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web apps that use client authentication.</p>
 
  <h3>Videos</h3>
  <ul>

public/2/rich-authorization-requests/index.php

@@ -2,7 +2,7 @@
 $page_title = "OAuth 2.0 Rich Authorization Requests";
 $page_section = "";
 $page_secondary = "";
-$page_meta_description = "OAuth 2.0 Rich Authorization Requests";
+$page_meta_description = "RFC 9396: OAuth 2.0 Rich Authorization Requests";
 require('../../../includes/_header.php');
 ?>
 <div class="container">
@@ -14,12 +14,11 @@
  </nav>
  <div>
 
- <h2>Draft: OAuth 2.0 Rich Authorization Requests</h2>
+ <h2>RFC 9396: OAuth 2.0 Rich Authorization Requests</h2>
 
- <p><a href="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar" class="rfc">datatracker.ietf.org/doc/html/draft-ietf-oauth-rar</a></p>
+ <p><a href="https://datatracker.ietf.org/doc/html/rfc9396" class="rfc">datatracker.ietf.org/doc/html/rfc9396</a></p>
 
  <p>The <a href="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar">Rich Authorization Requsts</a> extension provides a way for OAuth clients to request fine-grained permissions during an authorization request. For example, an app may specify a request such as "let me make a payment of 45 Euros" or "please give me read access to folder X and write access to folder Y".</p>
- <p>This draft is still in progress, and is open to feedback from people who are interested in using it!</p>
 
  <p>More resources
  <ul>

public/articles/authentication/index.php

@@ -38,7 +38,7 @@
 
  <p>OAuth, in this metaphor, is chocolate. It's a versatile ingredient that is fundamental to a number of different things and can even be used on its own to great effect. Authentication is more like fudge. There are at least a few ingredients that must brought together in the right way to make it work, and OAuth can be one of these ingredients (perhaps the main ingredient) but it doesn't have to be involved at all. You need a recipe that says what to combine and how to combine them, and there are a large number of different recipes that say how that can be accomplished.</p>
 
- <p>And in fact, there are a number of well-known recipes out there for doing this with specific providers, like Facebook Connect, Sign In With Twitter, and OpenID Connect (which powers Google's sign-in system, among others). These recipes each add a number of items, such as a common profile API, to OAuth to create an authentication protocol. Can you build an authentication protocol without OAuth? Of course, there are many kinds out there, just as there are many kinds of <a href="http://whatscookingamerica.net/Candy/mashedpotatofudge.htm">non-chocolate fudge</a> to be had out there. But what we're here to talk about today is specifically authentication built on top of OAuth 2.0, what can go wrong, and how it can be made secure and delicious.</p>
+ <p>And in fact, there are a number of well-known recipes out there for doing this with specific providers, like Facebook Connect, Sign In With Twitter, and OpenID Connect (which powers Google's sign-in system, among others). These recipes each add a number of items, such as a common profile API, to OAuth to create an authentication protocol. Can you build an authentication protocol without OAuth? Of course, there are many kinds out there, just as there are many kinds of <a href="https://www.completelydelicious.com/brown-sugar-fudge/">non-chocolate fudge</a> to be had out there. But what we're here to talk about today is specifically authentication built on top of OAuth 2.0, what can go wrong, and how it can be made secure and delicious.</p>
 
  <h3 id="common-pitfalls">Common pitfalls for authentication using OAuth</h3>
 
@@ -60,7 +60,7 @@
 
  <p>An additional (and very dangerous) threat occurs when clients accept access tokens from sources other than the return call from the token endpoint. This can occur for a client that uses the implicit flow (where the token is passed directly as a parameter in the URL hash) and don't properly use the OAuth <code>state</code> parameter. This issue can also occur if different parts of an application pass the access token between components in order to "share" access among them. This is problematic because it opens up a place for access tokens to potentially be injected into an application by an outside party (and potentially leak outside of the application). If the client application does not validate the access token through some mechanism, it has no way of differentiating between a valid token and an attack token.</p>
 
- <p>This can be mitigated by using the authorization code flow and only accepting tokens directly from the authorization server's token enpdoint, and by using a <code>state</code> value that is unguessable by an attacker.</p>
+ <p>This can be mitigated by using the authorization code flow and only accepting tokens directly from the authorization server's token endpoint, and by using a <code>state</code> value that is unguessable by an attacker.</p>
 
  <h4 id="audience-restriction">Lack of audience restriction</h4>
 

public/articles/index.php

@@ -14,6 +14,17 @@
 
  <p>The OAuth community is dedicated to helping provide information on the proper use of the OAuth protocols through a series of articles on different topics.</p>
 
+ <div class="article card h-entry">
+ <h4 class="p-name"><a href="https://fusionauth.io/learn/expert-advice/oauth/complete-list-oauth-grants" class="u-url">The Complete List of OAuth 2 Grants</a></h4>
+ <div class="meta">
+ <a href="https://twitter.com/ravgeetdhillon" class="u-author h-card">Ravgeet Dhillon</a> ・ <time class="dt-published" datetime="2022-04-12">Apr 12, 2022</time>
+ </div>
+ <div class="tags">
+ #oauth2 
+ </div>
+ <p class="e-summary">A complete list of all the various grants that have been standardized by the IETF, including standard ones like the Authorization Code Grant, and more unusual ones like the SAML 2.0 Bearer Grant.</p>
+ </div>
+
  <div class="article card h-entry">
  <h4 class="p-name"><a href="https://www.ory.sh/run-oauth2-server-open-source-api-security/" class="u-url">Run Your Own Open Source OAuth2 and OpenID Connect Server!</a></h4>
  <div class="meta">
@@ -156,14 +167,14 @@
  </div>
 
  <div class="article card h-entry">
- <h4 class="p-name"><a href="https://alexbilbie.com/guide-to-oauth-2-grants/" class="u-url">A Guide to OAuth 2.0 Grants</a></h4>
+ <h4 class="p-name"><a href="https://alexbilbie.github.io/guide-to-oauth-2-grants/" class="u-url">A Guide to OAuth 2.0 Grants</a></h4>
  <div class="meta">
- <a href="https://alexbilbie.com/" class="u-author h-card">Alex Bilbie</a>
+ <a href="https://alexbilbie.github.io" class="u-author h-card">Alex Bilbie</a>
  </div>
  <div class="tags">
  #grant-types #guide
  </div>
- <p class="e-summary"><i><a href="https://alexbilbie.com/guide-to-oauth-2-grants/">A Guide to OAuth 2.0 Grants</a></i> describes each of the OAuth grants and use cases for each.</p>
+ <p class="e-summary"><i><a href="https://alexbilbie.github.io/guide-to-oauth-2-grants/">A Guide to OAuth 2.0 Grants</a></i> describes each of the OAuth grants and use cases for each.</p>
  </div>
 
  <div class="article card h-entry">
@@ -178,7 +189,7 @@
  </div>
 
  <div class="article card h-entry">
- <h4 class="p-name"><a href="https://www.loginradius.com/engineering/blog/what-is-the-difference-between-oauth1-and-oauth2/" class="u-url">What is the difference between OAuth1 and OAuth2?</a></h4>
+ <h4 class="p-name"><a href="https://www.loginradius.com/blog/engineering/what-is-the-difference-between-oauth1-and-oauth2/" class="u-url">What is the difference between OAuth1 and OAuth2?</a></h4>
  <div class="meta">
  <a href="https://www.loginradius.com/engineering/blog/author/ti-zhang/" class="u-author h-card">Ti Zhang</a>
  </div>