17

I'm convinced no one really understands OAuth2, probably not even the creators.

Every blog, articles and tutorial, you have people saying don't do this, don't do that. Basically, no one agrees on a single implementation.

Want to use passwords for auth in a first party system you fully own? Apparently, that's unsafe.
Hmmm, what about magic links for passwordless auth? Also not safe you say?
Okay, I believe Okta just wants people to use their services, nothing else.

Comments
  • 4
    Screw OAuth2.
  • 2
    You can have first party auth, but many devs are lazy and won't do it properly.
  • 2
    Security is hard. Fought too long trying to get Windows/Azure to play nice with Linux containers ended up writing our own framework.

    That's right, storing credentials in a SQL Server.

    What could go wrong?
  • 5
    Security consultants will always offer overly complex solutions, so companies will always need them.
    Company leadership will also want complex solutions, so when shit hits the fan they can tell insures and auditors and regulators they had the best security, and it would be impossible to prevent an attack so sophisticated.
    Auditors are consultants.
    Insurers want complex solutions because then they can tell their investors that they require the insured to have high security standards.
    Regulators want complex solutions so when reporters and constituents come complaining, they get confused just by trying to understand the clusterfuck.

    Thus, everybody loves complex security theatre solutions.
    Except for devs, and users.

    Hackers, though? They will sing and praise complex auth methods all day long. Nothing breeds more exploitable misconfigurations than overly complex handshakes.
  • 0
    check this out. simplest yet. the author is awesome too. cool twitter

    https://pilcrowonpaper.com/blog/...
  • 0
    OAuth is an awful solution, but it's the least complex SSO / third party auth system that is actually safe, so if you want to offer SSO it's your best bet. That's why so many auth providers use it even though it doesn't make them interoperable or hot-swappable.
  • 1
    If someone tells you a solution is insecure, understand why it's allegedly insecure, and whether the problem actually applies to your usecase.

    Far too often just take 'insecure' as a blocker, without understanding that the reasons are not even applying to their solution.
  • 0
    I use firebase auth. Everybody have a google account. Dont reinvent the wheel.
  • 3
    @devapsarl Fuck that.
  • 1
  • 3
    @devapsarl no way

    I refuse to sign into those things

    you know if someone wants to doxx you there's websites that link all your identities through these things

    make a new email, never give a phone number
    and fuck tracking companies
  • 0
Add Comment