aaronpk's comments

aaronpk | 7 months ago | on: Sign in with Google in Chrome

It refers to the property of FedCM that means nothing about your account is revealed to the website until you click the "Continue As" button. In other words, alternatives to this that use third-party cookies enable tracking you between websites without any user interaction.

aaronpk | 8 months ago | on: Identity Assertion Authorization Grant

I wrote a much more narrative version of what this is useful for here: https://aaronparecki.com/2025/05/12/27/enterprise-ready-mcp

It isn't exclusive to MCP, it applies to any regular OAuth connection between apps under the same enterprise IdP too, but MCP is a topical example at the moment.

aaronpk | 1 year ago | on: OAuth from First Principles

"nothing inherently bad" other than:

(a list of things that are specifically bad implementations)

In my demos the OAuth flow completes so fast you can't even tell it happened, you don't even see the address bar change to the IdP the second time you do a flow when you already have a session there.

aaronpk | 2 years ago | on: Why I Live in IRC (2015)

I have chosen to interpret your response as sarcasm

aaronpk | 2 years ago | on: Why I Live in IRC (2015)

Exactly. Even in a relatively dense location, I have a new automation that runs when my cameras detect a person, both blaring a siren outside as well as notifying me in the house. Now about half a dozen times, it has stopped someone from getting farther than a few feet on the property, whereas without it I had people sneaking around looking for unlocked doors.

aaronpk | 2 years ago | on: Why I Live in IRC (2015)

sorry my sarcasm didn't make it through the computer screen

aaronpk | 2 years ago | on: Why I Live in IRC (2015)

what if data collection as a hobby is the end goal

aaronpk | 2 years ago | on: Why I Live in IRC (2015)

Discord is just fancy IRC

aaronpk | 2 years ago | on: Why I Live in IRC (2015)

oh hi. Yes I moved to Libera a while back and am still there regularly.

aaronpk | 4 years ago | on: IndieWeb: A people-focused alternative to the “corporate web”

No it was just a bad take

aaronpk | 4 years ago | on: IndieWeb: A people-focused alternative to the “corporate web”

Check out the actual spec, there's nothing in IndieAuth that relies on third parties. The whole point is so you can authenticate as your own domain to other things. There are some helper services that let you authenticate via Twitter/GitHub in case your website doesn't support IndieAuth natively. https://indieauth.net

aaronpk | 5 years ago | on: FediDB – Developer Tools for ActivityPub

ActivityPub by definition doesn't work with a static site. But check out this project which offloads the ActivityPub parts for any site assuming you can make a request there as part of your static site build process https://fed.brid.gy/

aaronpk | 5 years ago | on: Webmention.io

> edit: Also, why doesn't webmention.io display its own mentions to utilize the two-way communication it advertises? Seems like a no-brainer to show prospective users an example of it working in action

This is a good idea, and if I were re-making this service new in 2021 I would definitely do this. However I launched this in 2012 as a barebones implementation to get webmentions working for a few of my websites and never bothered to develop it much past that point.

aaronpk | 5 years ago | on: Webmention.io

The good news is everyone who receives webmentions can decide what it looks like themselves! In fact you'll see quite a lot of variation in how these are displayed on people's websites. Everything from a list of comments, to just a list of URLs, to a grid of faces with no text!

eta: There is also no requirement that the receiver of a webmention displays it! You could just as well use it for private notifications of the links.

aaronpk | 5 years ago | on: Webmention.io

HN does not as far as I know, but Lobsters does! https://github.com/lobsters/lobsters/pull/535

aaronpk | 5 years ago | on: Webmention.io

Don't think of it as comments on blog posts, think of it as enabling entire conversation threads between websites instead of between twitter accounts.

aaronpk | 5 years ago | on: Webmention.io

I'd happily accept a PR to the docs! I launched this service in... 2012

aaronpk | 5 years ago | on: Ask HN: Did Google turn off IMAP access for good over the weekend?

I'm having a different (but likely related) problem, which is that my SMTP stopped working today.

I have a legacy Google Apps account on a custom domain, and have had two-factor auth configured for years. Today my SMTP credentials stopped working, so I went in and made a new app-specific password, and that is also not working as my SMTP password. I also can't enable the "less secure apps" option because 2fa is enabled. I don't see any path to fix this.

aaronpk | 6 years ago | on: An Illustrated Guide to OAuth and OpenID Connect

No, you're confusing things again.

Your example includes two separate OAuth/OIDC flows. Dropbox as the client to Google, and the camera app as a client to Dropbox.

aaronpk | 6 years ago | on: IndieAuth – A federated login protocol using one's own domain name

For those of you wondering how this is different from OpenID Connect:

https://indieweb.org/How_is_IndieAuth_different_from_OpenID_...