Ranter
Join devRant
Do all the things like
				++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
				Sign Up
			Pipeless API
 
				From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
				Learn More
			Comments
		
- 
				
				Security is hard. Fought too long trying to get Windows/Azure to play nice with Linux containers ended up writing our own framework.
 
 That's right, storing credentials in a SQL Server.
 
 What could go wrong?
- 
				
				 JsonBoa31211ySecurity consultants will always offer overly complex solutions, so companies will always need them. JsonBoa31211ySecurity consultants will always offer overly complex solutions, so companies will always need them.
 Company leadership will also want complex solutions, so when shit hits the fan they can tell insures and auditors and regulators they had the best security, and it would be impossible to prevent an attack so sophisticated.
 Auditors are consultants.
 Insurers want complex solutions because then they can tell their investors that they require the insured to have high security standards.
 Regulators want complex solutions so when reporters and constituents come complaining, they get confused just by trying to understand the clusterfuck.
 
 Thus, everybody loves complex security theatre solutions.
 Except for devs, and users.
 
 Hackers, though? They will sing and praise complex auth methods all day long. Nothing breeds more exploitable misconfigurations than overly complex handshakes.
- 
				
				 useVim21101ycheck this out. simplest yet. the author is awesome too. cool twitter useVim21101ycheck this out. simplest yet. the author is awesome too. cool twitter
 
 https://pilcrowonpaper.com/blog/...
- 
				
				OAuth is an awful solution, but it's the least complex SSO / third party auth system that is actually safe, so if you want to offer SSO it's your best bet. That's why so many auth providers use it even though it doesn't make them interoperable or hot-swappable.
- 
				
				 theDEX681yIf someone tells you a solution is insecure, understand why it's allegedly insecure, and whether the problem actually applies to your usecase. theDEX681yIf someone tells you a solution is insecure, understand why it's allegedly insecure, and whether the problem actually applies to your usecase.
 
 Far too often just take 'insecure' as a blocker, without understanding that the reasons are not even applying to their solution.
- 
				
				@devapsarl no way
 
 I refuse to sign into those things
 
 you know if someone wants to doxx you there's websites that link all your identities through these things
 
 make a new email, never give a phone number
 and fuck tracking companies
Related Rants










 Did you say security?
Did you say security?
 10 points for next century option.
10 points for next century option.
I'm convinced no one really understands OAuth2, probably not even the creators.
Every blog, articles and tutorial, you have people saying don't do this, don't do that. Basically, no one agrees on a single implementation.
Want to use passwords for auth in a first party system you fully own? Apparently, that's unsafe.
Hmmm, what about magic links for passwordless auth? Also not safe you say?
Okay, I believe Okta just wants people to use their services, nothing else.
rant
oauth2
auth
okta
security