Testing out #Tuba as a #Fediverse client on #LinuxMint.
So far so good.
It used #OAuth to authenticate to #Sharkey. That's a plus.
It correctly sees that my posts have a 5000 character limit. That's nice.
But it's missing certain things like #Markdown/ #Misskey-Markdown preview (oh, and it can't handle #tags with a hyphen in them I see).
And I can't seem to figure out how to get it to automatically expand any CWs and show me sensitive media. Ok, this sucks. I'm an adult and very little offends me. Treat me like an adult, will you?
Any way...
Not bad.
So why even look at Tuba in the first place?
Because #Chromium is causing my #LinuxDesktop to freeze and stutter, and I've traced it back to Chromium. Uninstalled Chromium, everything is fine. Reinstalled Chromium, no bueno.
And it's not like I have that many extensions installed! Bitwarden, Linkwarden, Floccus, DarkReader, and DuckDuckGo. That's it!
Anyways...
1033 characters for this post. Not bad. The fact Mastodon has a 500 character default is stupid.
Recent searches
Search options
Administered by:
#oauth
Today I released the first version of #Lokksmith, a #KotlinMultiplatform OpenID Connect client library for #Android and #iOS. I've been working on this in my spare time for the past few weeks. I finally reached a state that I can proudly show to the world.
The first release contains a fully working implementation for Android. The iOS integration is not yet available. Any help regarding iOS is greatly appreciated.
Max Mitchell | I Read All Of Cloudflare's Claude-Generated Commits https://www.maxemitchell.com/writings/i-read-all-of-cloudflares-claude-generated-commits/
#Hollo 0.6.0 is coming soon!
We're putting the finishing touches on our biggest security and feature update yet. Here's what's coming:
- RFC 8414 (OAuth metadata discovery)
- RFC 7636 (#PKCE support)
- Improved authorization flows following RFC 9700 best practices
New features
- Extended character limit (4K → 10K)
- Code syntax highlighting
- Customizable profile themes
- EXIF metadata stripping for privacy
Important notes for update
- Node.js 24+ required
- Updated environment variables for asset storage
- Stronger
SECRET_KEYrequirements (44+ chars)
Special thanks to @thisismissem for the extensive OAuth improvements that help keep the #fediverse secure and compatible! 
Full changelog and upgrade guide coming with the release.
Ah yes, #Cloudflare, in its infinite wisdom, decides to unleash "Claude" to the world, because what could possibly go wrong with more AI-generated 
prompts cluttering GitHub? 
Meanwhile, the rest of us are left to wonder if #OAuth needs a nickname to feel validated. 
https://github.com/cloudflare/workers-oauth-provider/commits/main/ #Claude #AI #GitHub #Humor #HackerNews #ngated
I got n8n working with LinkedIn, Mastodon, etc. Can I get it to work with Fitbit? 
Interesting open letter from the CISO at JP Morgan Chase, calling out insecure SaaS integrations, and specifically lots of implicit/explicit criticism of #OAuth: poorly secured and broadly scoped long-lived bearer tokens are not a great idea. Hopefully we’ll see PoP (with keys in a KMS) becoming more widespread for these kinds of integrations.
(The letter is undated 
but I assume it’s recent - via @ladynerd on LinkedIn).
https://www.jpmorgan.com/technology/technology-blog/open-letter-to-our-suppliers
Hackers abuse #OAuth 2.0 workflows to hijack #Microsoft365 accounts
Phishers have found a clever way to spoof Google — and their emails pass all security checks.
A new DKIM replay phishing attack abuses Google’s own OAuth infrastructure to send fake messages that look 100% legitimate, including passing DKIM authentication.
What happened:
- A phishing email was sent from “no-reply@google.com”
- It appeared in the user’s inbox alongside real Google security alerts
- The message linked to a fake support portal hosted on sites[dot]google[dot]com — a Google-owned domain
- The attacker used Google OAuth to trigger a real security alert to their inbox, then forwarded it to victims
Why this matters:
- DKIM only verifies the headers, not the envelope — allowing this spoof to work
- The phishing site was nearly indistinguishable from Google’s actual login portal
- Because the message was signed by Google and hosted on a Google domain, it bypassed most users’ suspicions
- Similar tricks have been used with PayPal and other platforms, raising broader concerns
Google has since acknowledged the issue and is working on a fix. But this attack is a reminder:
Even the most secure-looking emails can be fraudulent.
Even Google-signed emails can be weaponized.
At @Efani, we advocate for layered defense — because no one layer is ever enough.
@netzpolitik_feed Haben die @EUCommission Kollegen schon mal von #oauth gehört? Ein großer Teil der Anfrage-Verwaltung ist damit technisch schon gelöst.
Check your programming frameworks. For example, this is currently only planned in the upcoming major Version of the Spring framework https://github.com/spring-projects/spring-security/issues/16391
At least for the Rust crate openidconnect-rs this is included in the default example: https://docs.rs/openidconnect/latest/openidconnect/
browsing the specs of OAuth 2.1 and found that PKCE is now mandatory for Authorization Code Flow (not only Desktops or frontend-only apps!):
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12
"The authorization code grant is extended with the functionality from PKCE [RFC7636] such that the default method of using the authorization code grant according to this specification requires the addition of the PKCE parameters"
Cyberkriminelle nutzen aktuell gefälschte OAuth-Anwendungen, die sich als bekannte Dienste wie Adobe Acrobat, Adobe Drive oder DocuSign ausgeben. Ziel dieser Angriffe ist es, sich Zugriff auf Microsoft-365-Konten zu erschleichen. Im Beitrag erfährst du auch, wie du dich vor solchen Angriffen schützen kannst.
If you had to explain #OAuth2 to a relatively new SWE who only had a bit of experience interacting with public APIs from a frontend UI, are there any specific beginner-friendly online resources you'd recommend to them?
I have now installed and tested Authentik for CoreUnit.NET. So far I am satisfied. Keycloak, dex and other IDP's made me dissatisfied in some steps. As a developer I just dont like the container image taging, please use semver so I can pin major/minor versions.
USSO is a third-party cookie-based SSO (for now), built to work across multiple domains and businesses. It has been in development for over a year by Mahdi Kiani.
Right now, it's written in Python, but a Go rewrite is coming soon. After the rewrite, OAuth, SAML, and other authentication methods will be added.
For now, USSO doesn’t have a frontend to manage all SSO operations, but everything is available through an API.
A couple of microservices also work with USSO:
A global S3-based file manager
UFAAS, a Function-as-a-Service platform, optimized for Iran
UFAAS currently only supports IRT/IRR currencies and integrates with Iranian payment gateways, but accounts can also be manually charged.
A Rust module for USSO has also been released, making it easier to integrate with Rust-based applications. Additionally, I've recently joined the development team.
USSO is planned to be used on Parch Linux, and detailed deployment documentation will be written for all major platforms, including cloud, Docker, Kubernetes, and Jails.
Mahdi Kiani on X: https://x.com/mahdikiani
Project GitHub: https://github.com/ussoio
The File Manager: https://github.com/ufilesorg
FaaS: https://github.com/ufaasio
profile manager based on usso: https://github.com/uprofile
rustcrate: https://crates.io/crates/usso
#Fedi, looking for people with experience in #accessible software.
I have a friend with serious vision issues. Not blind, but can't easily read text that isn't 6+ inches high, and his vision is degrading. He is looking for a way to deal with email -- he's a writer -- because he says Gmail is now a nightmare to use even with a screen reader.
Preferred solution would be a mail program / #MUA that runs on Windows and supports #OAUTH authentication, so he can continue to use his Gmail address.
What's the MUA with the best #accessibility on Windows? Thunderbird brags about its support for screen readers and assistive technologies, so I had him try it, and he says it's almost as bad as Gmail - flashing colours, animating controls. I haven't personally touched Thunderbird in many years, so it was a surprise to me.
I use a text/console mail flow that relies on a local MTA, so nothing I use is of any use in this.
Thanks, appreciate any pointers.