In oauth2: when I /1 associate a random uuidv4 for each new flow with my user (server side), /2 stick that uuid into the state parameter, and then /3 look up my user with this on callback-endpoint execution. Isn't PKCE in that case redundant?
Oauth's PKCE verifies the continuity of the flow as it is essentially a saga(multi-step process). For example you can initiate oauth access grant request multiple times with the same data, but PKCE ensures that each of those initiations can be individually identified. Do not confuse PKCE with state field, which is for XSS and has no obfuscation.
Just to be clear, the PKCE secret can be the same for each initiation, but in the end its goal is to ensure that the first request matches with the last one. And yes, there is "plain" PKCE method but that is just for testing. SHA256 is the default one used to obfuscate the secret.
I think one point of PKCE is that the oauth token is never sent to the client (it is exchanged on the backchannel), so it theoretically is more protected.
Of course if you trust the client (no bad browser extensions, updated browser) and have good TLS settings and no MITM risk and make sure the your IDs are single-use then it seems like that should be fine.
PKCE protects the auth token from interception by making it so that only your code that started the flow can redeem it by proving they have the secret code_verifier on the redeem_token() call.
The code_challenge == sha256(code_verifier). You will share the code_challenge at the start of the flow.
I also think these are very similar. The main difference in my view is that the state parameter is checked by the client, while PKCE is checked by the server.
I run an authentication server and requiring PKCE allows me to make sure that XSS protection is handled for all clients.
For this sort of use-case v4 might be better. It has more randomness and you will probably delete the old ids as soon as they are used anyway, so the indexed space will probably be small.
Yeah, I'd say that sounds fine. Since these are supposed to be used within a short time it'd also be easy to cleanup unused ones more then 5mins old or so.
Unlike the article, your comment, does not provide evidence beyond "sniff test". The article brings up paintings of statues, which is an interesting data point.
Do you have children? Would you point them a loaded gun that's only, say, 0.5% likely to go off and shoot them? 1 in 100k cancers also disappear spontaneously, should I wait and see for my kid and not treat them?
When it comes to your own children the only number that matters is 1. The 1 time it happens their lives, your life, is over.
My kid walks home from his friend's houses in the woods at night alone all the time. He has never once been eaten or kidnapped.
Statistically your children are more likely to be victimized by you than a stranger. So by your logic, you should probably keep them away from you. Right?
Nominally I agree with you, but your example is classic survivorship bias.
The chances of getting kidnapped are and always were far, far, far less than automobile related injuries and deaths, yet we just see that as a normal risk of modern life.
I have been wondering if the fact that the current generation of 20-somethings isn't going out as much is because of this "over parenting" that they received. I'm sure it's also TikTok, living costs, and avoiding other vice related behaviour (drinking, sex) at such high rates, but it does make me think...
That's a useless statistic in this context. Statistically you're more likely to be killed by yourself than someone else. So, do you kill yourself to get it over with? Do you let a shooter shoot you because statistically it's better that the gun is on their hands than yours? Ridiculous, right?
The risk they die from drug overdose or something because they are maladjusted from being hovered over may be orders of magnitude greater. We live in a far safer time than people think with regard to violent crime (see graph below) and a far more dangerous time with regard to mental health and depression. Also obesity. Most people die from heart disease, diabetes, and cancer. All made more prevalent by shuttling your kid around constantly instead of them using their own two legs like nature intended.
It is precisely this anxiety that is the issue being discussed. Parents are terrified of what might happen to their kids, so too little happens to their kids (both good and bad)
I wrote a long winded thing about my personal experience but deleted it because it was too personal and too depressing to think about.
The summary is that the risk of a CPS investigation of a kid playing or walking independently is probably 10-100x that of suffering a car accident. And the average car accident is way less traumatic than being ripped away from your family, tossed in a foster home, and feeling like your parents have abandoned you forever because they could not protect you from the state.
What's the solution though? Stop letting kids play outside? I think the solution should be to reform CPS so it's not so traumatizing, and have more governmental awareness campaigns of the benefits of kids playing outside. I see government billboards all the time about anti-smoking, eating healthy, prediabetes screening. There can similarly be billboards promoting kids playing outside.
2) At the bare minimum, victims of CPS reports should be able to face their accuser. Currently laws anonymize reporters, this is not compatible with an open and balanced justice system. Also, needs to be heavy penalties and liabilities for abusing CPS reporting -- asymmetrical risks would end up with just getting the same result over and over again.
3) Cultural change. People that curtail child independence of others' children should be shamed, publicly. People that let their kids have independence, left the hell alone.
there would not be any issue with anonymous reports if CPS would look for actual evidence before doing anything else, and reject any anonymous report as baseless if no evidence is found. innocent until proven guilty must hold here too.
Your analogy is missing something. Not letting a child explore the world has an opportunity cost. They miss out on opportunities to develop independence and psychological resilience. The book "The Anxious Generation" covers this in detail.
I work at a college, and can tell you that (while everyone views their childhoods with rose colored glasses), at my institution, statistically kids today are less able to cope with difficulty than they were when I started my career.
When I started, the top three reasons for students leaving the institution were a) family priorities (work), b) transportation, and c) grades (overall GPA less than 1.5).
For the 2024-25 academic year, the reasons were a) anxiety, b) grades (overall GPA between 2.5 and 3, with less than 2 'd' or 'f' grades for the final semester), and c) unstated reason related to interactions with faculty or staff (difficult conversations about study habits, or realistic major/timeline conversations).
In other words, they hit one small barrier, or have to shift gears even slightly, and everything goes to pieces.
We don't let them make decisions when they're kids and the stakes are low, and then don't understand why they can't make decisions when they're adults. . . Or, there are a minority of parents that seem to enjoy making every decision for their kids. It's not great.
The chances of your kid being abducted by a stranger because you let them walk home from school are so many orders of magnitude lower than 0.5% that the analogy doesn't make any sense. You're probably more likely to kill them by handing them a plate of food or some other benign every day factor that isn't nearly as dramatic as anything the national news covers.
1 in 100k cancers also disappear spontaneously, should I wait and see for my kid and not treat them?
As a parent, a cancer survivor, and the child of a high anxiety parent, Yes, yes you should wait and see. Every doctor's visit is a chance to catch something worse.
That said, if you're a chill parent reading this, you should probably be more proactive about it. There is a middle ground, overreacting is usually worse than under reacting, but it is important that you react.
Insider trading isn’t because he has non-public information. It’s based on trust/fiduciary responsibilities. It would be a hard sell to claim he betrayed anyone’s trust by trading on the performance he saw as a customer.
That’s not insider trading. It’s using nonpublic information, legally.
The example that my business school professor gave was that if you’re riding in an elevator with two executives and they talk about how they’re going to miss numbers and trade it’s not insider. If one of them tells you specifically, it is.
> The example that my business school professor gave was that if you’re riding in an elevator with two executives and they talk about how they’re going to miss numbers and trade it’s not insider. If one of them tells you specifically, it is.
That's why I always shout my inside information within earshot of my financial adviser but never actually place any trades myself.
Homepage -> blog -> docs -> "all docs" button:
https://exe.dev/docs/list
Which has an about and pricing etc.
That is very counterintuitive to just find out what this is.
reply