Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
zaptheimpaler 5 hours ago

Oauth and enterprise auth has to be the worst thing ever made, it might be the most confusing and frustrating part of dealing with the cloud. Even the AI tools took a year to just get basic Oauth working on headless systems without assuming you could open a browser. If they're going to go down the auth rabbit hole with RBAC/IAM/Workload identities?/service accounts and all the trash the big cloud providers have, I just hope to god they leave in the simple shit for personal use. I just want a damn API key, I keep it a secret and revoke if necessary and don't need 10000 layers of auth bullshit tangled up in every layer of every platform.

aeneas_ory 2 hours ago | parent | next [-]

OAuth2 is complex and often not the right tool. I wrote Ory Hydra and also a blog post when OAuth2 is/is not a good idea: https://www.ory.com/blog/oauth2-openid-connect-do-you-need-u...

For API Keys we just launched Ory Talos (https://github.com/ory/talos) - a perfect alternative for when OAuth2 is too much for the use case.

There are use cases and security concerns that legitimize using OAuth2 - with specs like DPoP you can make these flows more secure. In my view the use cases presented here is a good one for OAuth2, but it certainly doesn’t make sense everywhere - complexity makes system harder to secure.

willtemperley 5 hours ago | parent | prev | next [-]

What I don't understand is why OAuth is rarely talked about in a privacy context, however your OAuth provider knows all the sites you log into and when.

It's a privacy nightmare.

vintermann 4 hours ago | parent | next [-]

Your OAuth provider can also vouch for anyone who pretends to be you, if they so desire. They can give access to anyone, including themselves.

spaghettifythis 5 hours ago | parent | prev | next [-]

Though given most people use gmail or outlook, the two main oauth providers (Google and Microsoft) will know anyway

willtemperley 5 hours ago | parent | next [-]

True they'd know which sites you've signed up to, but not the login times, unless the service emails you every time you log in.

v5v3 42 minutes ago | parent | prev [-]

Three main providers

(Apple login is in nearly every iOS app and most websites)

userbinator 4 hours ago | parent | prev | next [-]

Centralised identity is basically the government... and having some other entity behave the same way is not good.

niyikiza an hour ago | parent | prev [-]

there are some emerging mechanisms for offline verification that don't require AS in the OAuth WG. (I'm working on one of them)

cad 3 hours ago | parent | prev | next [-]

Don't get me wrong but data shows that you will likely fail to keep that api key a as secret and you will also fail to revoke when it becomes necessary. You will definately not going to rotate it frequently as you should.

Good thing about the OAuth2/OIDC is these things will not put the trust on the bearer of the api key, but on actual identity that needs to have the access.

tasuki 2 hours ago | parent | next [-]

My data shows that zaptheimpaler has above average likelihood to keep their secret secret.

> Good thing about the OAuth2/OIDC is these things will not put the trust on the bearer of the api key, but on actual identity that needs to have the access.

And... you do not see the myriad of problems with that? What about the OIDC provider going rogue or getting compromised? How do you ensure whatever you use to authenticate with your OIDC isn't compromised? Many identity providers and identity bearers have terrible security practices. "Add a backup email in case you lose your 2FA. Nevermind it's the same email we use for password reset."

Again, I trust zaptheimpaler to keep their secret much better than this whole pretend security theater.

zigzag312 an hour ago | parent | prev | next [-]

Can you share source of this data? I have my doubts about the quality of the data, since OAuth2 is such a complex system with so many footguns.

In the end there is always some long lived secret. What changes is just where and how it is stored, secured and used.

I bet we can generalize to say that data shows that you will likely fail to properly secure any secret (including the ones used in OAuth2).

EDIT: An example: https://news.ycombinator.com/item?id=37973937

cassianoleal an hour ago | parent | prev [-]

> but on actual identity that needs to have the access.

Not quite. You shift the trust from the key bearer (the most interested party in all of this) to the identity provider.

RVuRnvbM2e 2 hours ago | parent | prev | next [-]

It's the worst delegated authorisation system except for all the others that have been tried from time to time.

badgersnake 2 hours ago | parent [-]

The original OpenID was fine.

notpushkin an hour ago | parent [-]

IndieAuth is fine (but I’ve yet to see an implementation out in the wild).

Tailscale’s implementation of OIDC is nice: https://tailscale.com/docs/integrations/identity/custom-oidc

But all that only makes sense if you own a domain name.

jpc0 2 hours ago | parent | prev | next [-]

> I just want a damn API key, I keep it a secret and revoke if necessary and don't need 10000 layers of auth bullshit tangled up in every layer of every platform

Then implement that on your app... You are just generating a random key and storing a hash + salt.

Auth is hard only applies to auth for many users. For your own auth this is dead simple and made even simpler if you use a half decent framework...

If you are really worried about the implementation being insecure throw one of the many moderately frontier models at it, they are really not bad at finding issues in an auth system that simple.

jofzar 4 hours ago | parent | prev | next [-]

We had a security report for a oauth vuln and it was the worst thing I have ever read, the whole thing is like spaghetti that "just works" until it doesn't because you feed it something similar.

Never want to touch oauth, it's a fucked spec.

jurgenaut23 5 hours ago | parent | prev | next [-]

I am tempted to agree with you because I could never quite wrap up my head around it, but I never had to implement OAuth beyond a brief skim through the doc for my own understanding. I always thought this complexity was there for some good reason (security?).

fmbb an hour ago | parent | next [-]

> I always thought this complexity was there for some good reason (security?).

It's just design by committee.

messe 5 hours ago | parent | prev | next [-]

> was there for some good reason (security?).

To cover the myriad of (sometimes downright stupid) requirements that large enterprises have.

iririririr 4 hours ago | parent | prev [-]

far from it! it was just designed by comitee who both future proofed it and made sure it worked on low powered devices from 1971.

i make a point to implement oauth from scratch, because using the overly complex libraries expose you to bugs such as attacker sending a token which the metadata just says "no encryption or signature. trust me bro", which is actually part of the spec if you combine some options.

while in the real world, if google or apple sends you a token that is not always the same signature cypher (one of a dozen by the spec) you are better of threating as malicious, because it pretty much is. a manual implementation of a token consumer is about 20 lines... including downloading the provider keys and checking it (which most startups never do! allowing anyone to just sign a token as anyone)

raxxorraxor 2 hours ago | parent | prev | next [-]

Oauth is fine if you need the complexity, that is a lot of apps sharing common identity information. Then it certainly is superior to the classic workflow.

I agree that it is too complex though and app to app auth is certainly not a focus. I often still use static common secrets and see no problem with that.

I hate for apps needing to save passwords themselves, even if we have good tools today and the standard bcrypt call is reasonably safe. But then you need to reimplement password reset flows and all that ugly shit. Having that centralised is often

I would recommend self-hosting an OIDC service for that matter. The control you get also allows you to easily comply with some laws like GDPR and cousins, because you need to just purge a user in a single system.

Otherwise I thoroughly feel the frustration with IAM and the big providers. Ain't nobody got time for that and it is never a good and efficient solution.

notpushkin 41 minutes ago | parent [-]

> I would recommend self-hosting an OIDC service for that matter.

Seconded. It is fairly easy to set up, and so much easier than the cloud IAM things.

The only catch is, make sure you have some backup access to your OIDC provider in case it goes down. E.g. don’t host it on a server with SSH only accessible through VPN that is authorised using your OIDC provider, etc.

dist-epoch 2 hours ago | parent | prev [-]

I run Codex in multiple disposable sandboxes and OAuth is such a fucking pain. I vibe-coded a project which just stores/allocates/shuffles codex auth.json files around. I have a codex instance that I manually authenticate multiple times with browser OAuth, then copy that auth.json in a store from where it's distributed to the sandboxes. And sandbox codex sometimes refreshes the authorization, so when that happens I need to send that auth.json back to the central store. Madness.

One good thing GitHub Copilot has it that you can just give it a GH_TOKEN that is valid for 6 months and stop this browser login nonsense.