 Oh what happy hour I'm Aaron Perrecchi and we have Vittorio here as well. How's it going? We are sitting in our nicely air conditioned spaces now where while the Pacific Northwest is on fire around us so it's been a hot last couple days but everything is nice inside here. It is nice inside indeed. The thing that gets a bit unsettling is as the sun starts coming down and it becomes red and you can look at it directly without having your retina burned. It's like something is going on in here but while you are inside it's manageable. Yeah so we've got I guess we'll just jump right in. Of course if you do have questions feel free to drop them in the chat wherever you are watching and we will talk about stuff. If you have questions about it otherwise we've got stuff to chat about as well just about what's been going on in the world of OAuth. So yeah I guess let's start with seeing if there's been any updates on any of the specs that have been worked on lately. We've got a lot of stuff in the pipeline in the group. I know there's a lot of work going on with some of the new extensions that are being worked on. I'm going to go ahead and just open up the page that shows the draft status. It looks like it's been a bit of a slow summer but OAuth to push authorization requests that is progressing through the IETF chain of process nicely. I guess it hasn't been it's been a couple weeks since the last update but it's in the editor's queue for what is that the last step before it gets an RFC number? I believe it's the last step but now it's still a long one because the RFC editor needs to go and nitpick and put all the bars on the keys and the dots on the eyes. All stuff that has technical people we usually don't think that much attention but instead the editors without extraordinary follow so that's why it takes a while but I think that the point is the substance it's now there. If someone decides to implement the fact that you move the passive to an active voice in a sentence won't really change the implementation that you're doing so it's safe for people to start playing with I believe. That is really good news that's very exciting. I am a big fan of this one and honestly I feel like OAuth should have probably always worked this way because of the less reliance on the front channel is a good thing in my opinion so no. I agree provisionally let's say that all the things that OAuth is supposed to do like getting access tokens and if you do have something which is on the back end then yeah back end is definitely less exposed to all these various manipulations and like these Swiss cheese that is what happens in the user agent. The thing is that sometimes when you put stuff on top of OAuth like open reconnect and similar then some stuff can be done in the front channel but I agree it's more the exception than the rule but it's an important exception that's why I'm being nitpicking. Yeah I just feel like if we had always if it had always worked this way then there would be have been less of a need to do some of those additional band-aids to protect the front channel in the other ways which are in my opinion more complicated and they require more hoops so it's true the thing is like that makes me reluctant to abandon some of that stuff is also from the practical perspective like when you are buying a web space if you just have like static stuff and then you set it back and you do stuff on the JavaScript then you have like or like you have a mobile app and the code runs on the user's device then you have like less invoices to deal with rather than when you have a back end. So doing something that always requires a back end I would feel it would not be very democratic but if you have a back end then I do agree that we should have made it better use of it we should have given better guidance to people so that they fully take advantage of what can be done on the back end. But there's nothing about push authorization requests that requires a back end. I agree I agree. Could do it from a JavaScript app or a mobile app. Absolutely. What I meant is that you were generally like I was still commenting what you said earlier as in we should use the front channel less and it was more in the general terms in particular for their part I think that the added expressive power regardless of server side or front channel side alone is a huge huge value that again alone would give the thrust for respect to be an important addition to the framework. Yeah I think it'll well it's definitely a good a good building block and it's going to let us do some very very cool things that really wouldn't be practical or even possible without it so. And now the fun begins for us as in product people to go to product places and say hey there is this new thing do you have room in your roadmap to try to get this thing in and it's always hard because of course we are always at capacity but this is an important phase and I'm confident that the value that is brought by par will prove to be a good motivator for this thing to be adopted in the industry. Do you know if there is anyone that already implemented something in that respect? You know I don't actually know much about the implementation status of this one. Sometimes these I know it's like a new recent recommendation from the IETF to put an implementation status section in the draft before it hits RFC status. You take it out of the actual RFC but it looks like it's not in this one. I think it was very recent recommendation. But it would be a. Yeah it happens very often like I remember when I was very worried about my own draft to go in through the process and the various area directors or the chairs asked before moving it to ISG a roll call who implemented this thing and I was very surprised by the number of people that implemented the draft that I knew nothing about but as far as I know that information was only gathered as due diligence by the chairs and the ADs in the list but it never made it anywhere apart from maybe the shepherd write up like this thing that one of the chairs does then like basically writes a recommendation for your draft to being moved from the ITF to the ISG and I believe that in there there might be something but in the draft in itself like in the spec in itself I haven't seen it yet. Yeah I just remember there was something that I went around of like you should be putting an implementation status section as an appendix that gets removed before final publication but that way people who are reading the draft like an early version of the draft kind of gets a sense of is this something that is super experimental that like two people have built or is this like pretty widely accepted as what people are going to be building because this is just a sort of formalization of it or like how experimental is this is this document so but I don't yeah I haven't seen that that many drafts that actually have done it yet. It's a good idea though. I agree it is a very good idea and it's so hard like here I'm sure that you stumbled upon situations in which people just see a spec and there is a ITF in the path and then they automatically think oh wow this is an ITF thing and then maybe it's just someone who had an idea and wrote it down and posted it but and then you have to kind of know it means very little like this person at a fault decided to put it out for discussion but until the surname the last name of this person doesn't disappear from the path that means like a very it's not about me but there is no backing from the ITF this is just like a if file a repository and I think people yeah I feel like people don't understand that nearly as much as they should so if you look at this is all the ones uh those are rfcs but if you look at the uh this section I call them out on this webpage separately but these are individual drafts which is the name for it where it's not yet adopted and these have a person's name draft in a person's name whereas all the official ones are draft ITF and they look the same but this is just some ideas that Justin has about how to do this that have been probably not actually read by anybody yet right so it doesn't actually hold anyway yet it looks exactly the same as like this one right maybe it's got a few more oops the uh short url broke because of the 2-1 in the url it's thinking it's a draft of two yeah two dash one I think I have to go and add a version number uh after it no two there we go anyway uh answer that was a bad reveal anyway the uh you know this one is an ITF draft uh it's not an rfc so it also has less status than an rfc but at least it's an ITF draft whereas this one is an individual draft and yeah I feel like people see these floating around and give them far more weight than they are actually uh do at that stage yeah and this is a classic classic classic curse of knowledge because uh for the typology of people that populates the ITF the difference is glaring because uh right you go and you look at the header and it says the status so how can you not see it and then you tell about well a lot of the people that uh wanted to somewhat be informed about what's happening don't necessarily have the instinct to see where it's kind of like if you are a chess master you look at the chess board and you see configurations whereas the far of the man of the street is like a bunch of little thingies on a black and white board so um I believe that like rfc is ancient in the internet like it's like one geological era ago and some things are changing uh and we are getting up to the times like for example before you added to write rfc's only using like these uh harry potter enchantment xml that turns into these rfc which honestly it was one of the biggest steps I had to deal with when I started writing stuff yeah and now instead you can write in markdown which is a big improvement or one quintessential characteristic of rfc's are the ascii art diagrams with little dashes and similar and those are also relics of an era in which rfc's were written on ap column green phosphorous screens but now you can use sfg it's still like full of bars and similar but anyway I think that we should eventually get to a place in which the status of stuff is uh has a better visual affordances so when someone lands on right it's very clear I'm not saying just color because some people cannot see color but some how to say uh accessible way of making glaringly obvious where you are in the states like is this an rfc is this a draft that has been adopted by the working group yeah these uh someone who wanted to write down this thing for discussion but it's still completely individual we uh w3c has a similar process of you know they have their own names for it but it's similar of like this is a completely random thing from one person this is something that like a community group makes which is also essentially no stand no official standing by the w3c but it looks the same as like the the recommendation is the term for their final status w3c recommendation and the templates all look the same so they will get thrown around as if they do have status when they don't because they all look the same but they have the same sort of like sequences and I tried I'm trying to find an example of it I can't find it now but I tried to uh illustrate that in some of the specs that I was taking through the process uh because of that exact problem of like what does it mean when it's a recommendation that doesn't sound final that just sounds like a suggestion right so it's really not obvious unless you're really familiar with the process of of these specs but hopefully hopefully this stuff will get easier to to navigate as we make these tools better and make the place that we publish them better I think it's a natural trajectory that this thing just needs to go through because a lot of the people that drove that stuff are people that come from the former generation like think oasis cantana and some of us think so we're very private clubs like they don't some extent still is like the important stuff is done by the members which pay like 50 grand per year or something like that so there is a but in the past there was this bar which was pretty high as in like you sit at those tables only if you do work for a big company which paid big fees and so in general these idea of there are conventions very like connotations things that we agree on and similar where uh more viable and they were also like aligned with the kind of processes that were done in the past today we are in a completely different word in which anyone that wants to uh actually help with the itf with w3c and similar at least like in term of a technical contribution anyone can do it and so we've these like which is an excellent thing but just to be completely clear but the point is that now some of these shared context is diluted because uh someone might just follow a link uh signing up for a mailing list and then starts contributing and so I think that there should be a bit more work on the side of a framework to make things more obvious rather than putting the onus the burden on the person to know also because like even if we say officially you don't have to pay anything if it's hard to operate and do things in a way that will be accepted we are still keeping the bar high despite of the fact that you no longer have to give any dollars so my hope is that we'll manage to bring some innovation there yeah yeah totally um that that reminded me you you're tween earlier today of the xkcd comic of the uh today today's comic ironically the uh it's so it's so obvious to us experts that you know the mere mortals must surely know this super technical jargon thing but in reality no no you're just so deep in the in the world that forget what it's like on the outside yeah definitely definitely uh sympathize with it's the famous curse of knowledge and i think that in our space is one of the worst scourges like uh i gave to myself of a personal mission across all the companies i work with to try to make identity more digestible for developers and the thing that i've observed across the board is that identity asks for such an investment to become a domain expert and it has so many facets and the stakes are so high that very often people end up shipping uh like exposing to the developer uh some lower level uh aspects which the developer shouldn't have the need to understand and somehow it's uh it's a double agent's work on one side you are forsaking responsibility because they are saying that you're a developer here there are all the possible knobs there is a all the rope that you want and uh if you end up hanging yourself not my fault but on the other very source of the what if i provide you with a simplified interface but the thing that you need i hid behind some uh and so finding these uh middle ground in which you enable the developer to do what they want to do uh without burning them with a lot of complexity and still providing a graceful slope for the people that no more want to customize more it's uh the mission of a lifetime it's like uh yeah i don't think we got it yet we've been steadily improving in the last 15 years we did huge improvements we still have an incredible margin to go it is it is tough it's a it's a complicated space for many different reasons there's a lot of different players involved that have different interests and it's hard to make a product that fills everybody's needs um but it's yeah i don't know it's it's tough but it's a challenge it's fun like every time there is something that we do that uh simply finds things i i really feel good like whenever i see like someone that successfully uses uh like i remember when you first come out the first sdk's that implemented um they like some all that bless fed okay you connect all stuff in which people could just say okay i'm using these development stock all i need to do is to drop this library enter these couple of configuration settings as in uh this is from where i get my metadata this is my identity fire that's it and then behind the scenes the right thing happened and the developer didn't have to know anything about it that was an amazing moment and i think that we still have similar moments in front of us for like more advanced things like uh scheme fast fed all of these uh next order of magnitude scenarios where we can really simplify things yeah definitely i was just uh doing a workshop this morning for for our customer and uh it's i i've recently uh finished this sort of helper demonstration tool to help talk about some of the concepts in oauth and um they actually loved it they got really they got really good feedback but the one of the things i talk about is like you know explaining the concept of oauth scopes and then or open ed connect scopes of like what happens when you add this into the request and i'm i'm showing how it gets built on over time and one of that one of those things is i end up needing to do a lot of oauth flows where i'm going to just start an oauth flow get an access token or get an id token see what's inside see what happens when you do x y and z and i uh put together this page which is actually uh a real website you can go to it's example dash app.com slash client and um because i realized i was writing this code over and over again like at the workshop and that wasn't the interesting part the interesting part is what happens when you do different things with it so this is a sort of generic oauth client you can put in any issue or url and as long as that supports the metadata document uh this will go find it you drop in a client any or a client secret if you are doing if you want to pretend you're a confidential client and then you can just start an oauth flow with any of the scopes and i'm already logged in so it's not going to ask me to log in but you know it shows you the url that it built of like now i can go and explain what these parameters mean but like this is the stuff an stk would be doing the user's going to click continue and then i get sent to oh i'm not logged in i get sent to uh the oauth server and then i get sent back to the app and it's done it's to finish the flow and now i can go and talk about oh what are the claims inside this oh why don't we have the user's email that's because i didn't include the email scope here right so it's a useful tool and uh people love it today and they were like is this can i just use this for like after the workshop and i was like oh yeah this is just a link it's online feel free to use it you're welcome to it it's just a generic oauth client testing tool and it is i will say it's a lot easier than postman i had some people try to use postman for this during the exercise today and postman is great whatever there's there's good uses for it but every time i've tried to help people use it for an oauth flow or or teach people something by by using postman as the tool i am spending more time explaining how postman works than the thing i'm actually trying to teach because you have to explain what environments are and how to set environment variables and why you can overwrite some of them and how the it's just so complicated and it's so not necessary for it to look to be that complicated and so yeah i got postman yeah it's like they have their own reasons for like uh because it's it's a debugging tool but for this particular scenario and also the hard thing is that when you are teaching stuff to people it's very hard to keep the separate the chrome from the content and so if they're already trying to learn something new which is oauth and all these various concepts and you mix into it things like the idiosyncrasies of a tool that you're using then whatever content they retain in their head might end up being like either the signal to noise ratio isn't so as crisp or they might mistake as the things that apply to everyone things that happen to the only peculiarities of a postman so yeah that's great that that's a great tool that looks great yeah it's fun so yeah we've got um push authorization requests so that's the only movement in the spec world recently i guess uh it is you know the the month where europe takes a vacation and maybe we should learn something from that in the us but nobody's uh and nobody's doing anything over over there right now just enjoying the summer so not a lot of other updates i feel like yeah this thing is um i have to say that as a european that has been spending 15 years in the states um i actually prefer the way it works in here because there when august shows up like i can't speak on the heart of entire europe but in italy everything grinds to a heart in fact like i've learned not to go back to italy in vacation in august because like typically when you go you go to the value shops where you find things that you cannot find and there everything is absolutely closed all of the factories are closed at the same time so all the workers of the factories are on the road or they are on the beach so if you want to uh do anything that is business related unless the business is going to a gelateria or to a restaurant then like you just needed to resign yourself but no it cannot be done and on one side it's also nice because i can hear whenever you go on vacation unless it's christmas or thanksgiving you know that slack might have something for you and so if you are a bit anxious or if you are dependent on the endorphin spike when you see an update uh then it might be hard to completely relax so it's good when there is uh if you know that everyone else is out so you don't have to worry about getting but no pressure of being the only one who's who's not working right now because you know that everybody is off yeah exactly yeah absolutely i have that problem for sure i definitely don't uh it's why i i don't take long breaks during the year because i have that problem like i don't want to be not responding to emails for three because it means i'm gonna have a huge backlog when i come back because everybody else is busy working and uh i i just i mean it's not i'm not saying i'm making a smart decision here but this is just how i feel now i i completely sympathize and the other thing is it's not just the backlog it's that sometimes think things happen in that time frame and then that's it decision right is made and you have to leave it in fact like one famous uh well famous one anecdote which i relay in one of my books is that um once the the while i was still in microsoft there was a team that was deciding the name of a middleware used for validating uh a jot tokens in api codes and um i was a vacationing in fiji in a very small gorgeous absolutely amazing island it was very close to where they shot castaway it was that far from civilization and they had the internet 15 to 20 minutes a day when the satellite just had there for like a right angle and so my calls were like i had to do everything it was 15 20 minutes so long story short they picked the name for that class and i don't know if it's still true but back in the day it was the longest name in the entire dotnet framework it was really really long and if i would have been part of the discussion it would not have been that long i know that there is intelligence and similar but this is like i i will fish it out just to put it in the notes but it would not have been this long but anyway i think that that class is now that long because i was vacationing in a place without the internet so it's not a backlog it's like i just missed the magic moment for that decision that is really funny yeah yeah well um so what else is what else is going on uh in this world i um not to like feature octa's product launches but i did i am very excited about this personally that octa shipped the device grant in uh early access right now and this is something that is near and dear to my heart i because i talk about it all the time in my workshops and have not been able to actually let customers use it because it hasn't existed and i've always been like you can sort of just fake it by setting up a little thing over here if you want to that does the device flow bits but now it's built in to the product and it is going live uh officially live live later but it's in early access and you can go turn it on if you have an account you can go in there and like push the button to turn it on for you to give it a shot uh i'm very excited about that very nice the um we should yeah we should show the device grant i don't have a uh oh yeah i do have a little so this is the oauth playground which is also a fun little tool i wrote a while ago um oauth.com slash playground but this is a simulation of the different flows so you can see the requests and responses for each of the flows and one of them is the device code so it shows you how it works it walks you through it step by step um it shows what's the first step that the device does it goes and talks to the device end point sends its client ID starts the flow and then it gets this response and it's uh this tool it's all faked but it's all like random strings and all that so it's kind of cool um it gets the uh long secret one that it holds on to it gets the one that it shows the user it gets a url to show the user and uh oh hey i can update this sentence now this is great i had to put a disclaimer the octa doesn't actually support it uh so i can update that now but the idea is the device is supposed to show that short url and the code to the user somehow um you see this on like an apple tv all the time too where it's like you log into some cable app and it's going to have you go and actually finish the login on your phone where you can actually type things in faster um but so you'll you'll go to that url enter the code and then um as far as the device is concerned it's just sitting there polling the regular token end point saying hey i've got this long secret device code here has the user finished logging in yet and eventually uh eventually they will finish logging in and when you pull again you get back an access token and the flow is done uh and it's kind of a fun demo of being of the device flow very nice and now i would be uh i would say people would tell me that i should have done it if i don't do it now i have to send you the link to the uh device the playground that we also have here so uh i just sent you a sent you the link in slack if you just want to plash it uh great basically it's like no need to go for it but it's the same idea it's a part of our the communication oh but it's going to go do a real real flow right it's going to actually use i believe it's actually doing it yes so if i use my my tenant which i think is that although the client idea is wrong is it going to yeah it's going to it's going to complain but i think that the very easy way of signing in with your user it actually has to be done all as part of it and also i think that in our quick starts if you are signing in with your user the code in the quick start will be adapted and you can say i want to use this particular client and then it just changes everything to to reflect it so it gives you like a good good and one thing to mention that probably i shouldn't because it's a secret but uh we add a lot of fun recording our session for the developer day yes coming later this month and we do spend some time talking about the device so we have like a bit of context a bit of history we have a little diagram which shows how this thing goes so if you want to dig a bit deeper about like the mechanics of how it works we we don't have a lot of time so we don't go much into the details but we do touch them so i'd say more reasons to join the developer day which in itself will have lots of interesting sessions yeah let's talk about that real quick this is octa and otz zero's developer day august 24th virtual event this is gonna be a lot of fun there's a lot of good talks a lot of good speakers here some of the speakers are from octa and otz zero some of them are guest speakers and we have breakout sessions from a lot of very cool people um this is the agenda with all the talks here is our session so that was a that was a lot of fun to record these are these are all pre-recorded talks but they're broadcast all live like during these times um and they'll be like a chat during the session and all that too so we hang out there during the chat to answer questions um about the session um it's gonna be a lot of fun closing keynote cassidy williams i'm sure that will be great um and the second day the next day is a full day of labs which is uh five five different sessions these are still i have to fill these out with the descriptions but we've got oh nobody can act we've got on awesome zero session we've got uh terraform we've got jfrog doing give ups and uh kong doing an api security workshop these are basically 90 minute sessions that are instructor led and they are um meant to be hands-on activities so you like show up expecting to do stuff like come ready to build an app and follow along the tutorials there will be sets of instructions for all those provided during the sessions um and again what people in the chat to to help answer questions as well uh both of these are free so no cost to attend come and hang out and enjoy enjoy the session nice yeah that's very exciting i'm really looking forward to actually do it and i think that for the labs you guys did an excellent job it's one of the best ways of learning because like when you just hear content uh even if you understand it's kind of like uh understanding a language or speaking it uh when you're like read and say oh yeah i know i now know it and then when you try to speak you discover but not as much and so trying to do it the way you have available someone in chat to which you can ask your question the moment it emerges it's one of the most efficient ways of learning because i just like a hall opens up in your understanding and you plug it immediately with the correct knowledge it's the absolute yeah it's going to be it's a it's great doing those two together because the first day is all the presentations and like you know get excited about the stuff learn some some new stuff in in small chunks and then you get to apply it the next day so you can actually go and get get your hands on some actual coding or configuring or whatever you want to call it they're not all even coding exercises which i think is also cool um it's not all about codesline it's about ops and different configuration files and stuff so yeah it'll be a lot of fun yeah yeah yeah and it's soon like um it is it's like yeah two weeks yeah less than two weeks because today's less than two weeks so yeah it's on uh Tuesday Tuesday and Wednesday yeah Tuesday and Wednesday in two weeks from now yeah there it is so yeah coming up fast i've still got some stuff to prepare even though the talks are even though our talk is done and recorded there's still more to do and i'm setting stuff up for the developer labs to make sure those go all smoothly um some of those are going to be pre-recorded some of them are going to be live so maybe you'll know which is which or maybe not because i'm not planning on telling people ahead of time yeah i have to say that during the during covid uh the pre-recorded format happened a lot of times like uh i done a verse like a lot like at a say for many many conferences big and small uh end up having to do like pre-record and then be available during the broadcasting in the q and a and it's always a bit surreal to hear yourself speak and being able to comment just like part of the audience on what's going on and yeah it's interesting um it has its uh advantages but at the same time it can also be very frustrating because uh you are never fully happy with uh how you do stuff you can always improve and this stuff is like slapped in your face but yeah you should have said x right right and sometimes things change like many of the sessions i did were about the browser changes uh and those things change from week to week and very often the uh organization of the conference would ask you to record months in advance and you tell them hey like people will see the light of its star but the star already detonated so it's kind of like uh there is a too much like two months is too much for this topic which of course i always use that as an excuse to be late because that's a good south european i like to be late yep well cool yeah definitely join us for developer day uh i know a lot of people are putting a lot of work into it so hopefully it's a playful lot of fun i'm looking forward to it um looking forward to being in the chat hanging out with everybody doing the labs um i i'm doing one of the i'm doing the oauth workshop the oauth lab so i'll have some activities there uh to try stuff out get get um get some experience configuring an oauth server we'll talk about what you know what different access token lifetimes mean for different things and uh how to how to do all that um it's going to be some of the content's going to be similar to the things i do in the the private workshops that i do so you'll get a nice little sneak peek into what i do uh that is not broadcast publicly normally um but yeah now we are making me really curious about what tizmet you are uh holding back that oh yeah yeah don't say oh it's not that i don't normally say it's just that you know things that most of the stuff that i have out there that's public is like uh in a conference talk format which is just a very different way of talking than if i've got three hours in front of a group of people it's just a different a different way of of talking to people so absolutely yeah yeah well uh we're rounding out getting close to the top of the hour i guess we could wrap up here i feel like it's a good way to close out um let me just put the developer day uh slide up again definitely um you want to make sure people know about that again it is free it is free just uh register for the sessions on the first day you can just show up for the labs that you don't need to register for those we're going to broadcast those on youtube or not youtube sorry we're broadcasting them on the website which is um linked from this page uh and they will just if you just show up here on this website that is where they will be on the day of and you don't need to register ahead of time you can just show up and join um and it will be a lot of fun so any more uh happy hours between now and correct we are not doing one next week and then we'll be doing the developer day so this is the last one uh before developer day yeah and september is going to be complicated because like there is um label day and then there is the european identity conference which happens right after which is followed by the identity week so in terms of identity events uh we'll have to play a jigsaw puzzle to find the time to do then to do the happy hour but i'm sure that we'll uh maybe we'll be in different time zones but uh i'm sure that we'll manage and in any case there'll be some uh fun stuff to talk about after those events so absolute yeah all right well thank you everybody for watching and thank you vitorio for joining and uh if you want to know when the next happy hour is coming up make sure you subscribe here on youtube or twitch uh and go check out octadev.events if you want to see the schedule or add it to your calendar and with that have a great rest of the day and we will see you next time tajau