[orweis]

In a sense you do own it, you just delegate it, and thanks to JWT and JWKs you control the identity flow.

Meaning, you don't have to physically be the guard at the door, to know your door is guarded. And you can use passports and well formed policies (ideally as code) to communicate to your guards who to let in, when, and how.

[chillbill]

> Meaning, you don't have to physically be the guard at the door, to know your door is guarded.

This doesn't translate well to a web app, to guard your data you have to physically have it somewhere where you and only you can access it.

[orweis]

:D Truly? So does that mean you won't use any cloud service (e.g. AWS, GCP, Azure) ? And no Authentication services (e.g. Auth0, AWS Cognito, Firebase)? ...

[chillbill]

Yeah truly :) I "may" use Postgres on RDB, but won't use a service they offer I don't know the infra of or be certain if I'm the only one who can access. Definitely non of those auth services you mentioned. Why do you think many people are very much anti mysterious "clouds" and there's general push towards self-hosting from people who know how things work.

[asafc]

It's always a valid choice to build your own, just not cost-efficient for some. It's considered safe to use cloud authentication providers like Okta, Auth0, etc as well as cloud billing providers like Stripe, etc.

An authorization proxy is quite the same, and I would argue that for some teams is much safer to use than building your own AuthZ. Broken access control is the top OWASP risk for a reason (i.e: implementation complexity)

source: https://owasp.org/Top10/A01_2021-Broken_Access_Control/