Recent searches

No recent searches

Search options

Not available on photog.social.
photog.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A place for your photos and banter. Photog first is our motto Please refer to the site rules before posting.

Administered by:

Server stats:

238
active users

photog.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.1

#oauth

1 post1 participant0 posts today
Hollo :hollo:

#Hollo 0.6.0 is coming soon!

We're putting the finishing touches on our biggest security and feature update yet. Here's what's coming:

Enhanced #OAuth #security

  • RFC 8414 (OAuth metadata discovery)
  • RFC 7636 (#PKCE support)
  • Improved authorization flows following RFC 9700 best practices

New features

  • Extended character limit (4K → 10K)
  • Code syntax highlighting
  • Customizable profile themes
  • EXIF metadata stripping for privacy

Important notes for update

  • Node.js 24+ required
  • Updated environment variables for asset storage
  • Stronger SECRET_KEY requirements (44+ chars)

Special thanks to @thisismissem for the extensive OAuth improvements that help keep the #fediverse secure and compatible! 🙏

Full changelog and upgrade guide coming with the release.

#ActivityPub
*
udo m. rader ☕ 🇪🇺 🇺🇦 🐧

I'm not easily swearing, but how can I put this: sending infra emails from a data center to addresses managed by #Microsoft 365 is crazy. MS dislikes #SMTP AUTH, ok, and so begins the #OAuth journey to get the #postfix mail relay to embrace OAuth

The best idea so far is to write a script that acts as a proxy between postfix and MS, sending emails via the MS #GraphAPI. Undoubtedly much more secure and, just as undoubtedly, absolutely no vendor lock-in for something as simple as SMTP ... WTF!!

Aaron Parecki
In two weeks I'll be speaking at the MCP Dev Summit in San Francisco! It's going to be a great day packed with back to back sessions.

In less than a year, the MCP project has quickly reshaped how developers are building AI agents. My talk, "Intro to OAuth for MCP Servers", will cover the basics of the new MCP authorization protocol and set the stage for building secure MCP servers.

https://mcpdevsummit.ai/#agenda
mcpdevsummit.aiMCP Developers Summit - San Francisco - 2025
#mcp#oauth#okta
Efani

⚠️ Phishers have found a clever way to spoof Google — and their emails pass all security checks.

A new DKIM replay phishing attack abuses Google’s own OAuth infrastructure to send fake messages that look 100% legitimate, including passing DKIM authentication.

What happened:
- A phishing email was sent from “no-reply@google.com”
- It appeared in the user’s inbox alongside real Google security alerts
- The message linked to a fake support portal hosted on sites[dot]google[dot]com — a Google-owned domain
- The attacker used Google OAuth to trigger a real security alert to their inbox, then forwarded it to victims

Why this matters:
- DKIM only verifies the headers, not the envelope — allowing this spoof to work
- The phishing site was nearly indistinguishable from Google’s actual login portal
- Because the message was signed by Google and hosted on a Google domain, it bypassed most users’ suspicions
- Similar tricks have been used with PayPal and other platforms, raising broader concerns

Google has since acknowledged the issue and is working on a fix. But this attack is a reminder:

Even the most secure-looking emails can be fraudulent.
Even Google-signed emails can be weaponized.

🛡️ At @Efani, we advocate for layered defense — because no one layer is ever enough.

#Cybersecurity#Phishing#Google
teufelswerk

Cyberkriminelle nutzen aktuell gefälschte OAuth-Anwendungen, die sich als bekannte Dienste wie Adobe Acrobat, Adobe Drive oder DocuSign ausgeben. Ziel dieser Angriffe ist es, sich Zugriff auf Microsoft-365-Konten zu erschleichen. Im Beitrag erfährst du auch, wie du dich vor solchen Angriffen schützen kannst.

teufelswerk.net/achtung-vor-bo

teufelswerk | IT-Sicherheit & Cybersecurity · Achtung vor bösartigen Adobe- und DocuSign-OAuth-Apps: So schützt du dein Microsoft-365-KontoAchtung vor bösartigen Adobe- und DocuSign-OAuth-Apps - So schützt du dein Microsoft-365-Konto: Cyberkriminelle nutzen aktuell gefälschte OAuth-Anwendungen,
#phishing#scam#cybersecurity
shearichard

I'm presenting at the Wellington Python New Zealand meetup on Thursday evening, so if you're in town come along and cheer.

The subject is integrating #OAuth into a #Django project : what OAuth is and how it works; a good approach to integrating it into a Django project ; and what benefits it brings.

Although the talk with be Django-centric I hope those attending will be able to contribute their experience of using OAuth in #Flask, #FastAPI etc.

Sign up is here : meetup.com/pythonnz-wellington

C.

#Fedi, looking for people with experience in #accessible software.

I have a friend with serious vision issues. Not blind, but can't easily read text that isn't 6+ inches high, and his vision is degrading. He is looking for a way to deal with email -- he's a writer -- because he says Gmail is now a nightmare to use even with a screen reader.

Preferred solution would be a mail program / #MUA that runs on Windows and supports #OAUTH authentication, so he can continue to use his Gmail address.

What's the MUA with the best #accessibility on Windows? Thunderbird brags about its support for screen readers and assistive technologies, so I had him try it, and he says it's almost as bad as Gmail - flashing colours, animating controls. I haven't personally touched Thunderbird in many years, so it was a surprise to me.

I use a text/console mail flow that relies on a local MTA, so nothing I use is of any use in this.

Thanks, appreciate any pointers.

#mail#MailProgram#GMail
Live feeds
About