
Learn Authentication the Hard Way: Part Three - mariuz
https://www.andrew-best.com/posts/learn-auth-the-hard-way-part-three/
======
hpoe
I am currently an IAM engineer and can I just throw out there how much I hate
OAuth/OIDC, I work at a large org and have to integrate with dozens of
different vendors and applications and not a single one has the same way of
doing OAuth because to quote the spec, wait it isn't a spec it is a
"framework" we have to remember that, under interoperability it says

> OAuth 2.0 provides a rich authorization framework with well-defined security
> properties. However, as a rich and highly extensible framework with many
> optional components, on its own, this specification is likely to produce a
> wide range of non-interoperable implementations.

Don't get me wrong, OAuth is still better than WS-Fed and what we had before
but we really need to come up with a real standard and spec for
authentication, because OAuth/OIDC is a joke. It isn't just me either that
thinks this one of the authors of the OAuth spec said as much[1]

Can anyone tell me what their experience with OAuth has been, or have they
been able to get it to work across multiple different systems. I would love to
believe it is just my org, but it seems like the entire identity space is a
clusterf __ck.

[1] [https://hueniverse.com/oauth-2-0-and-the-road-to-
hell-8eec45...](https://hueniverse.com/oauth-2-0-and-the-road-to-
hell-8eec45921529)

~~~
tenaciousDaniel
We implemented OAuth about a year ago with Okta, and it's been an absolute
nightmare. We have a couple of clients that have their own IDP, and they want
us to let them use SAML to authenticate. I can't figure out whether the
difficulties are inherent to SAML itself or because of Okta, but I hate it
either way.

~~~
sk5t
SAML2 is kind of hairy, technically, but--speaking as someone who used to do
this full-time up until six years ago and has stepped into other sings since--
most of the pain was from half-baked implementations and utter crap-tier
error/exception reporting. Like, on one hand you'd be plagued by a lot of
small-time implementations that had a very inadequate appreciation of the
spec, and/or only supported about 10% of it, or had fatal flaws in their naive
handling of XML or even worse fatal flaws related to XML-DSIG and
canonicalization... and on the other hand you'd get these monstrous enterprise
products that specialized in offering only the most oblique of views into
their inner configuration or error states. It really takes a lot of patience
and expert level skills in 5-6 different things to cut to the heart of most
practical issues in the space.

