I'm convinced no one really understands OAuth2, probably not even the creators.

Every blog, articles and tutorial, you have people saying don't do this, don't do that. Basically, no one agrees on a single implementation.

Want to use passwords for auth in a first party system you fully own? Apparently, that's unsafe.
Hmmm, what about magic links for passwordless auth? Also not safe you say?
Okay, I believe Okta just wants people to use their services, nothing else.

Screw OAuth2.

You can have first party auth, but many devs are lazy and won't do it properly.

There are two aspects to this. The first is making sure nobody sodomises your website. The second is convincing the auditors that you've done everything properly.

When it comes to the second one, nothing beats a big, complicated, third-party solution. If you can involve a fourth and fifth party somehow then the auditors will become positively moist.

Also Okta are giving away some kind of coffee flask thing.

Security is hard. Fought too long trying to get Windows/Azure to play nice with Linux containers ended up writing our own framework.

That's right, storing credentials in a SQL Server.

What could go wrong?

Security consultants will always offer overly complex solutions, so companies will always need them.
Company leadership will also want complex solutions, so when shit hits the fan they can tell insures and auditors and regulators they had the best security, and it would be impossible to prevent an attack so sophisticated.
Auditors are consultants.
Insurers want complex solutions because then they can tell their investors that they require the insured to have high security standards.
Regulators want complex solutions so when reporters and constituents come complaining, they get confused just by trying to understand the clusterfuck.

Thus, everybody loves complex security theatre solutions.
Except for devs, and users.

Hackers, though? They will sing and praise complex auth methods all day long. Nothing breeds more exploitable misconfigurations than overly complex handshakes.

@jestdotty Yup. The more complex anything is the more room for bugs.

On the plus side, the more complex something is, the more consultants you need. And the more bugs there are, the more work they get to do.

Win-win.

check this out. simplest yet. the author is awesome too. cool twitter

https://pilcrowonpaper.com/blog/...

OAuth is an awful solution, but it's the least complex SSO / third party auth system that is actually safe, so if you want to offer SSO it's your best bet. That's why so many auth providers use it even though it doesn't make them interoperable or hot-swappable.

jep... the main problem with oauth: it's a great standard. but there's 100 different implementations, and 120 of those suck.

If someone tells you a solution is insecure, understand why it's allegedly insecure, and whether the problem actually applies to your usecase.

Far too often just take 'insecure' as a blocker, without understanding that the reasons are not even applying to their solution.

I use firebase auth. Everybody have a google account. Dont reinvent the wheel.

@devapsarl Fuck that.

@Root why su?

@devapsarl no way

I refuse to sign into those things

you know if someone wants to doxx you there's websites that link all your identities through these things

make a new email, never give a phone number
and fuck tracking companies

@jestdotty
👆🏻