In regards to the arguments in the article, it could have just as easily been titled "The dangers of SAML/Social Login".
There are a lot of parts that don't need to be coupled in the way the prepackaged identity/OAuth solutions provided by social media companies do. For example, you could use Facebook as an identity provider for your own SSO service be it using OAuth or SAML.
That example doesn't address the issues you've pointed out, but conflating social logins with OAuth in general would be counter-productive.
Yes, the article is about social login. I have yet to see a situation where an OAuth is not some other website however -- do people use internal company OAuth providers?
Yeah, using them is a monotonous task of configuring identity providers and service providers, and the SSO protocols become abstracted away and lines get blurred.
I feel like there are a lot more on-premises offerings than there had been in just the last few years. Maybe the OpenID Connect specification helped?
One solution is to validate tokens at the load balancer, to offload validation from the applications. In mid-2017 F5 added an OAuth provider to their application launcher software and I wonder if it was to address that specifically.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
If you care about your users privacy and security you should not use OAuth as an authentication mechanism. For integration sure, but nothing else.
mortoray.com/2014/02/21/the-danger...
In regards to the arguments in the article, it could have just as easily been titled "The dangers of SAML/Social Login".
There are a lot of parts that don't need to be coupled in the way the prepackaged identity/OAuth solutions provided by social media companies do. For example, you could use Facebook as an identity provider for your own SSO service be it using OAuth or SAML.
That example doesn't address the issues you've pointed out, but conflating social logins with OAuth in general would be counter-productive.
Yes, the article is about social login. I have yet to see a situation where an OAuth is not some other website however -- do people use internal company OAuth providers?
Yeah, using them is a monotonous task of configuring identity providers and service providers, and the SSO protocols become abstracted away and lines get blurred.
I feel like there are a lot more on-premises offerings than there had been in just the last few years. Maybe the OpenID Connect specification helped?
One solution is to validate tokens at the load balancer, to offload validation from the applications. In mid-2017 F5 added an OAuth provider to their application launcher software and I wonder if it was to address that specifically.