Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
spongessuck6165223dYou can have first party auth, but many devs are lazy and won't do it properly.
-
donkulator3133223dThere are two aspects to this. The first is making sure nobody sodomises your website. The second is convincing the auditors that you've done everything properly.
When it comes to the second one, nothing beats a big, complicated, third-party solution. If you can involve a fourth and fifth party somehow then the auditors will become positively moist.
Also Okta are giving away some kind of coffee flask thing. -
PaperTrail10605223dSecurity is hard. Fought too long trying to get Windows/Azure to play nice with Linux containers ended up writing our own framework.
That's right, storing credentials in a SQL Server.
What could go wrong? -
JsonBoa3014223dSecurity consultants will always offer overly complex solutions, so companies will always need them.
Company leadership will also want complex solutions, so when shit hits the fan they can tell insures and auditors and regulators they had the best security, and it would be impossible to prevent an attack so sophisticated.
Auditors are consultants.
Insurers want complex solutions because then they can tell their investors that they require the insured to have high security standards.
Regulators want complex solutions so when reporters and constituents come complaining, they get confused just by trying to understand the clusterfuck.
Thus, everybody loves complex security theatre solutions.
Except for devs, and users.
Hackers, though? They will sing and praise complex auth methods all day long. Nothing breeds more exploitable misconfigurations than overly complex handshakes. -
donkulator3133223d@jestdotty Yup. The more complex anything is the more room for bugs.
On the plus side, the more complex something is, the more consultants you need. And the more bugs there are, the more work they get to do.
Win-win. -
useVim2142223dcheck this out. simplest yet. the author is awesome too. cool twitter
https://pilcrowonpaper.com/blog/... -
lorentz15203223dOAuth is an awful solution, but it's the least complex SSO / third party auth system that is actually safe, so if you want to offer SSO it's your best bet. That's why so many auth providers use it even though it doesn't make them interoperable or hot-swappable.
-
tosensei8454222djep... the main problem with oauth: it's a great standard. but there's 100 different implementations, and 120 of those suck.
-
theDEX70219dIf someone tells you a solution is insecure, understand why it's allegedly insecure, and whether the problem actually applies to your usecase.
Far too often just take 'insecure' as a blocker, without understanding that the reasons are not even applying to their solution. -
jestdotty5763219d@devapsarl no way
I refuse to sign into those things
you know if someone wants to doxx you there's websites that link all your identities through these things
make a new email, never give a phone number
and fuck tracking companies
Related Rants
I'm convinced no one really understands OAuth2, probably not even the creators.
Every blog, articles and tutorial, you have people saying don't do this, don't do that. Basically, no one agrees on a single implementation.
Want to use passwords for auth in a first party system you fully own? Apparently, that's unsafe.
Hmmm, what about magic links for passwordless auth? Also not safe you say?
Okay, I believe Okta just wants people to use their services, nothing else.
rant
oauth2
auth
okta
security