• I fix the servers that run your serverless applications.
  • I share code on GitHub.
  • My LinkedIn profile is here.
  • I have a PGP public key that you can use to send me private messages or to verify that I did indeed author one.
  • The opinions expressed here and elsewhere do not reflect the opinions of my current and/or past employers.
  • You can reach out to me.

Previous page

OpenID Connect and ID Tokens

OAuth2 is fundamentally an authorization protocol. It is not meant to be used for authentication. In general, OAuth2 based authorization services provide an end point that can be used to retrieve user profiles and identifiers. In some cases, they use...

Read More...
 |  Comments  |  Jan 26, 2016

Signed JSON Web Tokens

Let’s continue using the analogies used in my last post and explore the JSON Web Tokens (JWT).

You hand over both your boarding pass and an identity document. The agent scans the boarding pass and examines the identity document to check it’s authenticity...

Read More...
 |  Comments  |  Jan 19, 2016

Identity and Flying

Airport Security. Public Domain, https://www.flickr.com/photos/sixmilliondollardan/3382932556/in/photolist-69WpZo-6ovssq-4Pud5x-3yTksP-BMEB-6jdHz1-4vGox9-e8WbBd-Eq1JM-4u6cXw-f49kST-9yMyqh-2mPphB-7tQfFt-7zd55c-a6UnD2-4MZHTA-8G8fAm-8iDGiZ-b2hbhp-b636x-661hXd-459nE-acE949-kQFt6-53B2Fg-EMBoQ-b5awD-8SNYPd-8U8gQ7-6EsPiP-5YKWV9-nXRXdD-5NpqpQ-6jq1w-4FZCDR-b5axC-8UYf8L-AHptGi-5MF1mL-vBhvH-e3zcE-eNmLN9-58Vjve-96E2cA-6unyV7-7qNu4W-5588mk-bXavMg-ggg1g

Authentication and authorization are two concepts that are often mingled together. In a lot of Rails app, there is little thought given to it beyond adding devise to an app and running the generator to build the User model. In Spring based app, including...

Read More...
 |  Comments  |  Jan 10, 2016

PhantomJS, Capybaras, and Poodles

Poodle source: https://secure.flickr.com/photos/imagesbywestfall/3452788638/in/photolist-6g7rLA-5Ly2TJ-dhgp22-7Eq65g-4L9Gkr-4L9Gkv-5MgFuL-86RKEk-a2Vhpv-54pS7t-uKNEz-2yMbx-7KkzPK-7BizcU-6fJFni-38DoTP-8smzb-rQXyi-fcDEVr-7b85h1-7Y7hwQ-dKEkPA-7AtcjM-keJ7tm-7NDCUj-dGSKFe-7kYDHP-8cXRa5-bKAgZ-5McrAk-6eCU2x-ijPiDn-9ycYtL-2rSBGq-7DRCHb-7Aniiq-7BiAts-dTdnGK-9wm9XC-dKEkb7-7tzuvX-7pSYi1-7uyoDN-dKyToP-7yA4oj-6x661Y-7nXHTq-7B9BnA-7zfV92-kSpeT/

The client that I am working with runs a web store and needed some changes made to the Spree/Paypal Express Checkout gateway to support receiving addresses from Paypal. This involves a fair amount of coordination between Paypal and Spree. It’s also...

Read More...
 |  Comments  |  Oct 20, 2014

Implicit vs Explicit Testing

A developer pulls a copy of the staging database and runs a migration to make sure that it will work against the existing data and structure.

A developer writes specs around a new feature that he is building.

Both acts imply testing. One is explicit...

Read More...
 |  Comments  |  Jul 12, 2013

PGP Public Key

It’s not a surprise that governments in general want to monitor what happens on the Internet. I always took the stance that anything that goes over unproctected and unencrypted channel was basically public. Private things need to be encrypted. This is...

Read More...
 |  Comments  |  Jul 7, 2013

Page 2 of 8

Next page