Oauth and enterprise auth has to be the worst thing ever made, it might be the most confusing and frustrating part of dealing with the cloud. Even the AI tools took a year to just get basic Oauth working on headless systems without assuming you could open a browser. If they're going to go down the auth rabbit hole with RBAC/IAM/Workload identities?/service accounts and all the trash the big cloud providers have, I just hope to god they leave in the simple shit for personal use. I just want a damn API key, I keep it a secret and revoke if necessary and don't need 10000 layers of auth bullshit tangled up in every layer of every platform.
What I don't understand is why OAuth is rarely talked about in a privacy context, however your OAuth provider knows all the sites you log into and when.
It's a privacy nightmare.
For enterprise, the ability to shut out a user with one click is the overriding security feature.
I don’t know why anyone wants to use a federated identity to sign into things. Where did the messaging that it’s more secure come from, Google?
Why would I want the headache of securely storing credentials if I'm running a web app? I'd rather offload it onto Google. And yeah, it's probably more secure.
Why would I want the headache of having yet another login/password to remember, if (like most people) I haven't figured out password managers? I'd rather just use my Google identity, especially if I don't really care about this particular web app.
There's a way to do auth with just email as well. Any good service will have a "I forgot my password" flow. Instead of using passwords, why not use tokens you email them gated by a 2FA challenge?
I have both Google and Github Oauth flows added to this idea in code, and it works great for my purposes. Prior to coding agents, I wrote the code by hand and went over it a few times to ensure it worked and was safe (for the email token thing at least). I even wired up the Oauth stuff myself, without an agent. It's not hard.
With agents, it's super easy to audit this and also deploy services using them, so I'm not sure why any arguments here mention how hard it is nowadays. It's not hard, but it does expose what site a user is logging into. That's just a easy function for the user though, with known risks.
With Google email, if I use a site with email logins, Google STILL knows I used them. It's just in my email instead of a logfile that I authenticated to a site. I would note that as long as the token is alive, dependent on the provider's choices, Google doesn't know I'm going back again, and has no idea what I'm doing on the site. I'd trust Google over anyone else about this, even Github (as related to Oauth to avoid the nitpick that has been common here recently).
I would hardly call this a "security nightmare" (as someone else said, not you) as Google only knows someone is authenticating to a given URL which they've vetted (a little) during the setup process. Same for Github. If you don't like Oauth, or feel that then every site someone uses should provide an email login fallback.
This is only true if one doesn’t care about spam going to that identity
If you sign up on a site with your stock email, this is a risk as well. And for retrieving lost logins, you still have to have an email in there. Why does it matter if I use a burner Gmail account for this and don't they already provide spam protection?
Normal people just reuse a few variations of the same password across all of their accounts. Federated identity isn't bulletproof but it beats the heck out of reusing the same password.
Login tokens solves the re-use (but does put the onus on their email being secure).
Do you remember when people had to "remember" a password for every service they use? It is better to use a trusted third party. Sure these third parties are big corporations, but its safer for most people to have a login that just works, even at the cost of some privacy.
People trying to remember passwords is a pretty bad security situation.
I'm not an expert but so often folks on here throw criticisms without giving credit to some of the merits of solutions. Nothing is perfect, and progress can still be made. :)
A password manager can both take care of remembering unique passwords and allow privacy options
Hard to convince users that they need to be using a password manager if you run a SaaS. Also when things like LastPASS getting hacked are on the front page... imagine advising people to use that one! (I'm guilty of recommending LastPASS many years ago, before their first breach).
Good luck getting people to use one! Even when they do, the UX is a nightmare.
> its safer for most people to have a login that just works, even at the cost of some privacy.
Respectfully, I disagree in a time when all your data is being slurped up and resold constantly I hate any additional costs to my privacy.
> People trying to remember passwords is a pretty bad security situation.
But that's their problem, not mine. I'm an adult and I use a password manager.
It probably is more secure, to be honest. I trust Google to keep my account secure more than I trust some random website to store password hashes and verify securely.
Your OAuth provider can also vouch for anyone who pretends to be you, if they so desire. They can give access to anyone, including themselves.
Microsoft SSO does exactly this. They let you pretend to be someone else's email, making their SSO service pointless since you still need to do email verification anyways (at which point, just send a login token to sign them in, instead of using SSO).
Slight tangent.
The only way to preserve privacy while having a central and easy authentication mechanism I can think of is to use IndieAuth[0] which is built on top of OAuth 2.0.
Of course, you will need to be your own provider, using an IndieAuth provider service defeats the purpose, which is what I see most IndieWeb devs are doing.
You will need to own a (sub)domain though.
[0] https://indieweb.org/IndieAuth?redirected=IndieAuth
WebFinger + self-hosted Oauth provider is indeed nice. Unfortunately not widely available.
Take a look at Google's FedCM protocol as well
"It's a privacy nightmare."
Privacy nightmare in the real world, "tech" company wet dream in SillyCon Valley
There's two sides to every coin
I've done a bit of experimentation in this area. Check out https://lastlogin.net/.
You may also be interested in the FedCM protocol Google is working on.
Though given most people use gmail or outlook, the two main oauth providers (Google and Microsoft) will know anyway
True they'd know which sites you've signed up to, but not the login times, unless the service emails you every time you log in.
Every time you sign into an app, you get redirected to the auth provider to open a session there. So of course they know your login times.
I don't think you followed the thread. I began discussing the OAuth privacy nightmare, then the counter point was that the with email auth providers know anyway, but they don't know the login times necessarily, unlike with OAuth.
Three main providers
(Apple login is in nearly every iOS app and most websites)
Corporations aren't interested in preserving privacy, quite the opposite. If you need OAuth for private use you'd have to roll out your own centralised directory.
It also makes authentication Not Your Problem. Getting someone else to handle password resets alone seems worth the squeeze.
Totally agree. Having to handle the password reset flow requires having reliable email delivery, which can be non-trivial. I usually start with supporting Google auth, and if I need more than that I'll add Microsoft and Apple too. Everyone already has at least one of those setup.
I wouldn't call it a nightmare. It's a well documented design choice
Centralised identity is basically the government... and having some other entity behave the same way is not good.
there are some emerging mechanisms for offline verification that don't require AS in the OAuth WG. (I'm working on one of them)
OAuth2 is complex and often not the right tool. I wrote Ory Hydra and also a blog post when OAuth2 is/is not a good idea: https://www.ory.com/blog/oauth2-openid-connect-do-you-need-u...
For API Keys we just launched Ory Talos (https://github.com/ory/talos) - a perfect alternative for when OAuth2 is too much for the use case.
There are use cases and security concerns that legitimize using OAuth2 - with specs like DPoP you can make these flows more secure. In my view the use cases presented here is a good one for OAuth2, but it certainly doesn’t make sense everywhere - complexity makes system harder to secure.
Ory Hydra was one of the few tools I remember being actually good and lightweight and useable. Tried setting up and using KeyCloak for a while, absolute nightmare
Plus I feel like it has completely ruined typical login flows, normally a PW manager would auto fill the username + password fields, but thanks to oauth we often get only a username field, or have to click 'login with password' or some other silly step first.
OIDC can be relatively straight-forward (that is just a few JSON REST calls) if the provider isn't configured in a restrictive way. The .well-known/openid-configuration endpoint is quite helpful. Exchanging username+password (optionally with OTP) for a token is an option in the standard. The issue is that lots of deployments are quite restrictive "for security".
OIDC is only barely more complicated than the minimum viable option for establishing someone's identity based on the word of a trusted third party.
User shows up at your login flow. You assign them a big random number identifying their user session (this is your "state")
User indicates an identity provider they'd like to use. You probably have a short list you trust.
You ask that provider for the configuration data.
You generate a big random number, that identifies this log in attempt as unique. This is your "nonce".
You send the user, along with the state and nonce, to the trusted third party. (at their "authorization endpoint")
The user proves to the trusted third party they are who they say they are. This isn't your problem.
The user comes back to you with a claimed state and a code (a big random number assigned by the trusted third party).
You check that the user's claimed state matches the state that you assigned them. This ensures that you end up authenticating the same user session as the one that started the login.
You then reach out to the third party directly (to their token endpoint), with state and code in hand, and ask them "yo, a user session with this state just claimed you sent them to me with this code. Who are they?".
And then the trusted third party sends back a token attesting "They are so and so".
The one superfluous step is that, according the spec, you're supposed to then verify the signature of that token. It is unclear to me why this is in the spec, since I just made an https request to the trusted third party. The entire security model here has assumed that trusted third party is trusted.
Don't get me wrong but data shows that you will likely fail to keep that api key a as secret and you will also fail to revoke when it becomes necessary. You will definately not going to rotate it frequently as you should.
Good thing about the OAuth2/OIDC is these things will not put the trust on the bearer of the api key, but on actual identity that needs to have the access.
My data shows that zaptheimpaler has above average likelihood to keep their secret secret.
> Good thing about the OAuth2/OIDC is these things will not put the trust on the bearer of the api key, but on actual identity that needs to have the access.
And... you do not see the myriad of problems with that? What about the OIDC provider going rogue or getting compromised? How do you ensure whatever you use to authenticate with your OIDC isn't compromised? Many identity providers and identity bearers have terrible security practices. "Add a backup email in case you lose your 2FA. Nevermind it's the same email we use for password reset."
Again, I trust zaptheimpaler to keep their secret much better than this whole pretend security theater.
And I also trust myself to keep my secrets better than this whole pretend security theater too.
I've never worked at an organization that handled their user's data/privacy/security even remotely close to how I handle my own and I wouldn't even consider myself all that paranoid. I have worked for some companies that really really should care too - there's just no incentive to really care and those in the org that try too do so will get ignored.
The data breach letters I get in the mail a few times a year back me up on this.
Can you share source of this data? I have my doubts about the quality of the data, since OAuth2 is such a complex system with so many footguns.
In the end there is always some long lived secret. What changes is just where and how it is stored, secured and used.
I bet we can generalize to say that data shows that you will likely fail to properly secure any secret (including the ones used in OAuth2).
EDIT: An example: https://news.ycombinator.com/item?id=37973937
> but on actual identity that needs to have the access.
Not quite. You shift the trust from the key bearer (the most interested party in all of this) to the identity provider.
> I just want a damn API key, I keep it a secret and revoke if necessary and don't need 10000 layers of auth bullshit tangled up in every layer of every platform
Then implement that on your app... You are just generating a random key and storing a hash + salt.
Auth is hard only applies to auth for many users. For your own auth this is dead simple and made even simpler if you use a half decent framework...
If you are really worried about the implementation being insecure throw one of the many moderately frontier models at it, they are really not bad at finding issues in an auth system that simple.
It's the worst delegated authorisation system except for all the others that have been tried from time to time.
The original OpenID was fine.
IndieAuth is fine (but I’ve yet to see an implementation out in the wild).
Tailscale’s implementation of OIDC is nice: https://tailscale.com/docs/integrations/identity/custom-oidc
But all that only makes sense if you own a domain name.
> But all that only makes sense if you own a domain name.
I have a hard time believing the venn diagram of "has a need for an auth provider" and "has at least one domain name" isn't just a a small circle almost entirely inside a large one, and the sliver on the outside is not for any reason other than stubborn refusal.
the original sin of internet - it’s not secure, and for many it’s not the bug it’s a feature to make money or gain power. all nested layers to cover up previous fails. example - nonce, state, encryption bumps in oidc/oauth2.1
We had a security report for a oauth vuln and it was the worst thing I have ever read, the whole thing is like spaghetti that "just works" until it doesn't because you feed it something similar.
Never want to touch oauth, it's a fucked spec.
OAuth 2.0 is a hate crime against security given its complexity.
When I really dove into it, I understood mostly why all the complexity was all there if I cared about data at the identity provider.
When it’s only used for SSO, it’s extreme overkill.
I am tempted to agree with you because I could never quite wrap up my head around it, but I never had to implement OAuth beyond a brief skim through the doc for my own understanding. I always thought this complexity was there for some good reason (security?).
OAuth is designed so that an end-user never needs to see an API key (OAuth refresh/access token) or even know what one is. When it is implemented to the spec, that happens well.
I think that most of the "just give me an API key" comments are from a <1% of end-users (developers) that know what an API key is, and are facing a broken OAuth implementation.
> and are facing a broken OAuth implementation.
Or didn't bother to read the spec to understand why it's non trivial. Things like this are complex because attacks will force it to be.
Also, the broken implementation might be an OIDC implementation that doesn't support client_credentials for example. Seen that many times and that does make it rather awkward to implement a server to server flow...
OAuth first and foremost is driven by getting secret information from, let’s say, Big Company. It’s understandable that there are many steps for some random Joe to get Google emails or Facebook DMs.
OpenID piggy-backed on it by layering on new terms to an already complex scheme. The precious, secret information from Big Company in OpenID is just Email and maybe Name and Profile Picture. Then there’s a lot of ceremony for the service using OAuth to securely get that big secret (the user’s Email, which they had to supply in the first place directly to Relying Party).
> was there for some good reason (security?).
To cover the myriad of (sometimes downright stupid) requirements that large enterprises have.
> I always thought this complexity was there for some good reason (security?).
It's just design by committee.
far from it! it was just designed by comitee who both future proofed it and made sure it worked on low powered devices from 1971.
i make a point to implement oauth from scratch, because using the overly complex libraries expose you to bugs such as attacker sending a token which the metadata just says "no encryption or signature. trust me bro", which is actually part of the spec if you combine some options.
while in the real world, if google or apple sends you a token that is not always the same signature cypher (one of a dozen by the spec) you are better of threating as malicious, because it pretty much is. a manual implementation of a token consumer is about 20 lines... including downloading the provider keys and checking it (which most startups never do! allowing anyone to just sign a token as anyone)
I would be so glad to see a short educational video about this. I wasn't aware of this and I think millions of other devs aren't either. Otherwise we'd never have adopted this nightmare.
I love how simple SSH is with it's PK-Auth. The only challenge is session-invalidation and key-management, but that can be surely automated, no?
Oauth is fine if you need the complexity, that is a lot of apps sharing common identity information. Then it certainly is superior to the classic workflow.
I agree that it is too complex though and app to app auth is certainly not a focus. I often still use static common secrets and see no problem with that.
I hate for apps needing to save passwords themselves, even if we have good tools today and the standard bcrypt call is reasonably safe. But then you need to reimplement password reset flows and all that ugly shit. Having that centralised is often
I would recommend self-hosting an OIDC service for that matter. The control you get also allows you to easily comply with some laws like GDPR and cousins, because you need to just purge a user in a single system.
Otherwise I thoroughly feel the frustration with IAM and the big providers. Ain't nobody got time for that and it is never a good and efficient solution.
> I would recommend self-hosting an OIDC service for that matter.
Seconded. It is fairly easy to set up, and so much easier than the cloud IAM things.
The only catch is, make sure you have some backup access to your OIDC provider in case it goes down. E.g. don’t host it on a server with SSH only accessible through VPN that is authorised using your OIDC provider, etc.
I run Codex in multiple disposable sandboxes and OAuth is such a fucking pain. I vibe-coded a project which just stores/allocates/shuffles codex auth.json files around. I have a codex instance that I manually authenticate multiple times with browser OAuth, then copy that auth.json in a store from where it's distributed to the sandboxes. And sandbox codex sometimes refreshes the authorization, so when that happens I need to send that auth.json back to the central store. Madness.
One good thing GitHub Copilot has it that you can just give it a GH_TOKEN that is valid for 6 months and stop this browser login nonsense.
What does codex's auth.json file have to do with OAuth?
> I keep it a secret and revoke if necessary and don't need 10000 layers of auth bullshit tangled up in every layer of every platform.
Expect it. Security is hard and the companies with deep pockets are happy to pay the bill that meets their cybersecurity insurance requirements.