
Show HN: BuzzFeed open source SSO - itwasntandy
https://tech.buzzfeed.com/unleashing-the-a6a1a5da39d6
======
itwasntandy
GitHub repo:
[https://github.com/buzzfeed/sso](https://github.com/buzzfeed/sso)

This is our identity aware proxy, which we've been using internally for a
year.

The blog post explains our motivations behind creating it, and open-sourcing
it. It's available today, under MIT license.

We'll be keeping an eye on the thread, and happy to follow up to any
questions!

~~~
andremat
Have you contracted an independent pen-testing company to assess your design
and implementation?

~~~
kingbirdy
This is mentioned in the article

> In preparation for open sourcing we also engaged with Security Innovation, a
> widely respected agency who count Microsoft, Symantec, and Amazon as
> clients, to do a more in-depth, week long assessment, with full access to
> source code and design documents. This found no major issues, which gives us
> the confidence to open source sso today.

~~~
baby
It was only a week long assessment though, I don’t know Security Innovation
but I’m sure they would have appreciated more time.

~~~
itwasntandy
That is understood, and is always why we engaged with some of the top
researchers who contribute to our bug bounty program, from the start with this
project.

For example offering increased bounties during certain windows, or providing
early access to the source code.

We highly value our bug bounty program, and find it to be a very effective
mechanism for continuous security validation.

I'll write a tech blog post in the near future about how we facilitate our
program.

~~~
yubozhao
Looking forward to read about it. Thank you for the project!

------
thomseddon
We took a slightly different approach to solving a similar problem:
[https://github.com/thomseddon/traefik-forward-
auth](https://github.com/thomseddon/traefik-forward-auth)

We were already using traefik as a proxy for our docker/swarm clusters and
this is a single container drop in to add authentication to every traefik
request.

It's still missing a few key features but it can get you started, we're
testing the use of a single auth domain (so you don't have to add every
internal service domain as a refirect_uri in Google - looks similar to how sso
works) internally and we expect to release this shortly once finished.

Additionally, if you want an even lighter weight option, we also use, with
great success, cloudflare's lua script on a few services we don't run with
docker/traefik: [https://github.com/cloudflare/nginx-google-
oauth](https://github.com/cloudflare/nginx-google-oauth)

------
nancyp
GApps supports Custom SAML app. What's the benefit of using this Oauth2 over
SAML2 protocol?

[https://support.google.com/a/answer/6087519?hl=en](https://support.google.com/a/answer/6087519?hl=en)

~~~
itwasntandy
Great question. We found that SAML doesn’t typically have great support on
mobile devices [edit: had originally written browser here, hence the comments
below], and since BuzzFeed has many remote employees around the world, we
needed to support those workflows, so OAuth2 made more sense.

~~~
nancyp
IMO That's opposite of what I understand. The selling point of Oauth2 is SAML
works great on web (mobile browsers included) but not so on apps.

~~~
itwasntandy
I’ll correct my post above. I meant to say `mobile devices`, not `mobile
browsers` . My bad.

The other reason, which I didn’t mention above, but is talked about in the
blog post, is we decided to use bitly’s oauth2_proxy as a basis for our
solution. This had been widely used in BuzzFeed (we had over 100 auth proxies
in place prior to rolling out sso), and so the OAuth flow was something
everyone was familiar with.

------
markovbot
Looks super interesting. I'm looking to do something like this for my personal
stuff, but I'd rather avoid the dependency on Google. Does anyone have
suggestions for how to set something like that?

~~~
itwasntandy
Right now we have a dependency on Google as an OAuth2 provider, as that's what
we use internally at BuzzFeed. However we've designed sso to allow us to
easily add other providers.

For example, there's this task (
[https://github.com/buzzfeed/sso/issues/9](https://github.com/buzzfeed/sso/issues/9)
) to create a default provider without Google dependencies for test purposes.

We'd also welcome PRs adding other providers and believe any OAuth2 provider
should be straight forward to add.

~~~
markovbot
Cool, thanks for letting me know. I'll have to research this more.

------
rllin
a bit ignorant in this area, but how is this functionally different than
Google Cloud IAP?

~~~
itwasntandy
It’s not. We acknowledge that in our blog post, and our approach was
definitely influenced by the BeyondCorp philosophy.

However google IAP requires that your infrastructure is all in Google cloud.

Whilst we do use GCP, most of BuzzFeed’s infra is in AWS, we needed a solution
which worked for both.

------
supuun
never expected BuzzFeed on HN frontpage (:

~~~
minimaxir
BuzzFeed has been on the HN homepage quite frequently.

[https://news.ycombinator.com/from?site=buzzfeednews.com](https://news.ycombinator.com/from?site=buzzfeednews.com)

[https://news.ycombinator.com/from?site=buzzfeed.com](https://news.ycombinator.com/from?site=buzzfeed.com)

~~~
solarkraft
Buzzfeed news is ... surprisingly good. The Buzzfeed name is just associated
with painfully stupid content.

~~~
philliphaydon
> Buzzfeed news is ... surprisingly good.

This is literally news to me...

