top | item 47098480

(no title)

> Hopefully, this post helps clear that up!

Thanks, it did not.

OAuth and OpenID Connect are a denial of service attack on the brains of the humans who have to work with them.

discuss

TZubiri|8 days ago

A has an account at B, A has another account at C, A wants to allow C to access data at B (or to send data to B on A's behalf).

How can B be sure that C is acting on A's behalf? Can A only allow C to access certain data (or send only certain data) in order to reduce risk?

A protocol that allows for that three way negotiation is OAuth.

Like with most specs, a lot of the complexity is added in the later years, by companies that have thousands of users and complex edge cases and necessities, and they are the ones dominating the council, and their needs are the ones that push forward newer versions.

So with most specs, the best way to start learning it is by learning from the oldest specs to the newest ones, so if you start by reading or using OAuth2, you will be bombarded with a lot of extra complexities, not even the current experts started like that.

If you need to catch up, always start with the oldest specs/versions.

mettamage|8 days ago

Wow, that was a really valuable lesson. I wish I had this one at university. But the next best time to have it, is now.

So thanks!

I'll start reading the oldest HTTP spec for funzies.

frizlab|8 days ago

I have implemented OAuth both as a client and a server. The most complicated part is the scattered documentation, and little gotchas from different providers. In itself, the whole thing is not complex.

user3939382|8 days ago

> The whole thing is not complex

Meanwhile https://www.couchbase.com/blog/wp-content/uploads/2021/05/oa...

BrandoElFollito|8 days ago

I use OIDC in my home lab (with Authelia). It is very simple to work with it.

I do not understand what I am doing and trust the docs, but it has never been a particularly difficult setup.

SahAssar|8 days ago

> I do not understand what I am doing

I would argue that then you do not "have to work with them", you are merely using products built with them.

layer8|8 days ago

The article is answering a request for explanation of how it works, however. In other words, they do want to understand.

hahn-kev|8 days ago

No you're thinking of SAML.

bob1029|8 days ago

SAML is the devil. If it weren't for its XML aspects we'd probably not have bothered as much with alternatives.

clarkdale|8 days ago

Completely agree. OAuth, Auth0, Okta, OIDC.