[josephcsible]

> Most of the enterprise apps I have worked with use something like OAuth or SAML.

If an app is a SAML SP or an OAuth client, then it's not really doing authentication itself, but rather delegating it to another system. When you go to log in to the SAML IdP or the OAuth authorization server, where the authentication actually happens, don't they let you use HTTP basic authentication or <input type="password">?

[maxtardiveau2]

You're right, I should not have gone on that tangent.

To get back to the main point, though, don't you think that the fact that Microsoft includes a disclaimer (kinda) in their docs lends some credence to the idea that they're not really proud of this?

[josephcsible]

Like I said, I agree things could be better. I just don't think things are currently quite as bad as your original article makes them sound, and I also think it's unfair to single out SQL Server as if it were worse than normal, when it's exactly the same as basically everything else today.

[maxtardiveau2]

That's a reasonable position, and I think a good conclusion to a constructive debate.

Whether it's unfair to single out SQL Server -- I don't think it is. SQL Server is one of the foundations of modern IT infrastructure, and it should be held to the highest standard. This is clearly a chink in the armor, and Microsoft seems to be aware of it.

Thanks to your pushback, I have refined my argument and will publish a significantly revised version of it on SQL Server Central (https://www.sqlservercentral.com/) on March 2. There is a preview at https://www.galliumdata.com/articles/can-we-please-stop-send... in case you're curious.

I respect your expertise, and I appreciate your civility. Thank you.