Hacker News new | ask | show | jobs
by l3s2d 2039 days ago
General observation, not necessarily related to this project:

It's rather unfortunate that federated identity is always an afterthought instead of the default. Every new project could have been using OpenID Connect instead of rolling their own authentication. I really wish web frameworks pushed for this.

I suppose some of the blame lies with the identity providers. So many of them use a custom OAuth protocol instead of OIDC, which shifts the burden to the developers. Adding a new IdP should be as simple as adding a new trusted URL, instead it's often integrating a new SDK.
1 comments
mumblemumble 2039 days ago
For this purpose, I'd strongly prefer LDAP over OIDC.

The reason being, companies that have a need for something like this are much more likely to be set up with their own LDAP server than with their own OIDC provider. I'm guessing the next most useful one might (still) be SAML, and then OIDC would be the cherry on top.

link
l3s2d 2039 days ago
I think OIDC should be the default authentication for services like this. It is the newest, and simplest, of the three. Any sort of integration with existing SAML or LDAP can be done via a bridge. Keycloak supports this, I believe.
link
user5994461 2038 days ago
Indeed OIDC is the standard nowadays and for the future years.

Active Directory has OIDC support since version 2016 (and SAML since earlier), which makes it the de facto supported protocol in companies.

SAML is rightfully losing adoption because it's way more difficult to use. LDAP is moot for a variety of reasons, though it's still used by some internal services.

link
closeparen 2038 days ago
LDAP pins you down to a username+password flow and requires you to handle that password. Would much rather see authentication flows that are ready for WebAuthN, etc. by default.
link
mumblemumble 2038 days ago
100% agreed there. I'm just thinking, you generally get more value out of building for the world you live in than out of building for the world you wish you lived in.
link
thinkmassive 2039 days ago
If you visit the issue I linked you’ll see they crossed out SAML support with the note “won't be implemented, since repository authentication mechanisms doesn't support these providers”
link