DEV Community

Canming Jiang
Canming Jiang

Posted on

Why you should not ask your developers to implement modern auth

If a software developer has no experience adding #OIDC/#OAuth, #SAML #SSO (Single Sign-On) to a web application, he/she needs to understand the complex OIDC/OAuth or SAML protocol, practice the SDK/API from the identity provider, manage user sessions, and write code, it usually takes 3-6 months of engineering work for 1 application.

Once the initial work is done, it requires constant maintenance and improvements. Also security vulnerabilities can easily be introduced if the security expertise is lacking.

As an engineering leader, you are wasting your developers' time and your precious engineering resources if you assign such tasks to your developers.

A #NoCode proxy-based solution is obviously a much better alternative.

https://www.linkedin.com/posts/cmjiang_oidc-oauth-saml-activity-6910026693147594753-Lcrk?utm_source=linkedin_share&utm_medium=member_desktop_web

Discussion (6)

Collapse
t0nyba11 profile image
Tony B

It certainly doesn't take 6 months of engineering time to implement Azure AD SSO to your application if you are already in that Azure environment for your website. More like a day, and almost no cost.

I agree though, that a third party solution can be better in some case ... but not always.

Cost/Benefit/Risk applies as always. :)

Collapse
cjddww profile image
Canming Jiang Author

If you are referring to Azure built-in authentication [1] or azure app proxy [2], both of them are no-code proxy-based solution.

  1. docs.microsoft.com/en-us/azure/app...
  2. docs.microsoft.com/en-us/azure/act...
Collapse
t0nyba11 profile image
Tony B

It sounds like your definition of no-code, is using a library the IdP provides. That really isn't far from using a generic OIDC or SAML library. The effort is very similar.

I am still not sure where your 6 months of engineering time comes in.

Thread Thread
cjddww profile image
Canming Jiang Author • Edited on

My definition of no-code is NOT using library from IdP [1] or SDK from some programming frameworks, e.g., Java Spring.

6 months of engineering time is from our conversation with some practitioners. To give you an example, one of large non-profit organizations was migrating apps from legacy basic auth to modern OIDC auth, which is Okta. They had no experiencing of OIDC or SAML. They had two engineering and worked for about 3 months for 1 app.

[1] github.com/AzureAD/azure-activedir...

Thread Thread
t0nyba11 profile image
Tony B

Sounds like a terminology/semantics thing I am disagreeing with then. When I think no-code, I don't think using a library for OIDC or SAML functionality. That is code :) Each to their own.

Collapse
cjddww profile image
Canming Jiang Author

are you talking about using Azure AD SDK?