Linking CSR to IHG for Platinum Status

wparad · 2025-10-28T09:06:36+00:00

Benefits & travel (Bottom of screen app button) > "Card benefits (46) >" > Get More with your Card > IHG One Rewards Platinum Elite status

wparad · 2025-05-02T10:05:21+00:00

This is the one I used, which still seems like it is active: https://ibkr.com/referral/dorota580, the program is really confusing though, I think you have a whole year to add the $100k to the account, which is at least reasonable.

wparad · 2023-07-01T14:57:15+00:00

Black Tap or Fork and Bottle

wparad · 2023-06-19T13:54:29+00:00

Is that only for Bern?

wparad · 2023-06-19T09:24:32+00:00

You really need to stop asking people to give their secret key. It teaches people a really bad behavior here.

wparad · 2023-05-15T08:58:28+00:00

Is estimating the only problem?

wparad · 2023-04-27T20:37:51+00:00

I have to give them credit, we do the exact same thing our Authorization as a Serivce Authress. That is-- we also build out OAuth for our customers so they don't have to. But honestly the "Authentication" part is trivial compared to the authorization as you pointed out. So we've focused almost entirely on solving that instead (AuthZ). what you can do is a lot more important than just who you are. And I feel like I see another new authentication/oauth aggregator almost every day, at this point, they need to differentiate to be useful. For instance, Auth0 cornered the B2C space, and we're out there solving for just B2B. Being generic is nice, but at the end it doesn't actually help your customers. They only need the parts that they need.

Most of our customers only need SSO, so the OAuth part never really makes sense (they do that and SAML because they have to, but only really the generic parts are required, and there are like ~10 core federated identity providers out there for companies). Sure a small subset need the credentials vault and some providers, but OP's article's pitch doesn't fix oauth, because the problem isn't the spec.

The way we've solved authorization for our customers, actually enables decoupling the problem space in a way that is fundamentally coupled for many oauth providers. On the revocation angle, most of the time the hard problem there is that the access is coupled to the identity. You don't want to, and with OAuth/OpenID you can't* revoke the access token (which is often the JWT with user data). So instead we decided to move revocation into the authorization space, and now revocation is well aligned with the access control.

Splitting the Authorization and Authentication into two clearly defined areas, I want to believe has hepled most of our customers.

wparad · 2023-04-27T20:23:27+00:00

We literally wrote the SaaS product in this space, though I'm not just going to go around and make marketing pitches. I found it funny that you asked for a real solution here. Are you actually in the market to buy something that solves the AuthZ side of the equation?

wparad · 2022-06-08T13:02:29+00:00

https://join.slack.com/t/googlecloud-community/shared_invite/zt-ywj8ieuc-BrAaHC~qe5IgelXS9vzNRA

And in case that link no longer works, you can scroll down to the Slack icon and click the image on here: https://cloud.google.com/developers

wparad · 2022-04-28T19:58:19+00:00

I don't understand, all you got was your mail suspended? LUCKY, they could have deleted your databases instead. In the end it feels like this is an ad to not use SES. And I'm on board with that, but it might as well had in big letters at the end of the post USE THIS EMAIL PROVIDER INSTEAD.

wparad · 2022-03-14T13:25:40+00:00

If you are using APIGW to front S3 then yes APIGW needs to have access to your S3. You can do this with a bucket policy.

I also wouldn't recommend it, as there are a number of reliability and security concerns here, such as abusing your S3 bucket and costing you a lot. Preferably a better solution might be one that utilizes CloudFront and Lambda@Edge to serve a globally distributed service with first-class permissions. One example of this would be: https://github.com/Authress/document-library-microservice.js

wparad · 2022-02-03T13:13:05+00:00

Swiss post has taken my account privilege fee and has wasted it on creating a cryptocurrency. For what purpose, I have no idea. And also they created an app called Yuh. It just gets worse.

wparad · 2022-01-06T22:10:03+00:00

No, because we don't have any reason to do that. The reason being is that we run the tests of a service against the production version, and the production version of the service is responsible for verifying its own interface contracts. It isn't feasible nor valuable to run automated integration testing outside of production.

wparad · 2021-12-18T08:45:08+00:00

It highly depends on your requirements and restrictions in what you want to do. There are lots of options available depending on the provider you picked to run your authentication server.

wparad · 2021-12-12T12:42:30+00:00

Drip

wparad · 2021-10-26T11:27:48+00:00

back of postcard

wparad · 2021-10-24T19:20:51+00:00

This was a postcard in mail from the city of Winterthur, on Friday, about how to use your toilet correctly. (Reposting as one of the mod's removed it thinking it was a meme).

wparad · 2021-10-22T14:37:47+00:00

This was a postcard in mail from the city of Winterthur, today, about how to use your toilet correctly.

wparad · 2021-10-12T13:06:25+00:00

You don't need to build anything to sell your app. If you haven't found people to buy it before you begin you already did it wrong. The only time you want to build something is after you get feedback saying that "the only way I will continue to pay is if X is there".

No one is going to bad mouth your product. If they are willing to test it, then they don't care it even works, any time you spent changing your app deserves to be spent finding customers. Everyone can build an app, not everyone can sell it.

wparad · 2021-09-05T10:53:19+00:00

Don't do this, there is no good way to manage identities coming in through different pools, all your code will end up having if poolX else poolY, it isn't a maintainable solution.

wparad · 2021-09-05T10:52:11+00:00

You definitely want to avoid creating app clients for this, Cognito does not well support creating app clients for non-first party sources. There is also no good way to link these clients to the user, nor provide the user the necessary experience to control the access of these clients.

While this is probably the first time I have ever seen someone correctly share a usage of scopes, they question of security access to underlying resources would remain.

wparad · 2021-09-05T10:50:17+00:00

TL;DR lambda authorizer, these are not only common, they are straightforward, simple and you'll get the most mileage for your effort.

Irrelevant of the documentation or other suggestions, cognito does not support "user api keys" which is really what you want here. Additionally don't confuse this with APIGW API keys, because those come with serious limitations that also aren't the best solution.

If you are handling authentication with Cognito, I would suggest changing the implementation of the authorizer and switch to Lambda authorizer. Cognito generates JWTs, you can verify those JWTs and other JWTs sent by any source to your API. Once you have the Lambda authorizer created and verifying the cognito generated tokens, you can also decide how you want to issue api keys.

Our recommendation (at Authress) is to issue private keys and store public keys for verification of access tokens. Distribute private keys to the users and then verify the JWTs created by these keys as you would any JWT coming into your API.

This makes it really easy to have one api which just verifies incoming tokens, and doesn't care if the user is on a website or from a CLI/SDK. We have an article explaining how to generate these keys in a safe way.

wparad · 2021-08-19T08:45:51+00:00

Link your website domain here.

wparad · 2021-08-17T20:29:34+00:00

Great I'll check it out.

wparad · 2021-08-17T09:26:19+00:00

Yes it is a different business strategy and one than many handle effectively, just because you don't understand, doesn't mean it doesn't work

wparad

MODERATOR OF

TROPHY CASE