[mooreds]

It depends!

(I work for an auth vendor, so where I stand depends on where I sit, to some extent.)

I've seen and built apps that only needed built-in framework or language support. Or, best of all, don't use authentication at all.

I've also seen and/or built apps that needed advanced functionality to support business requirements. For example, if you want to:

* support slack-like workspace switching functionality for a single user

* but allow each organization to control the login methods they want to allow, including magic links, SAML, OIDC, LDAP, etc

* and make all APIs securely and scalably available to single page applications and mobile applications

* across hundreds of thousands or millions of users

You're going to want to use some of the more complicated standards. Basic auth ain't gonna help with that.

[shadowbanned4]

I worked for the largest company in Canada who handled billions of dollars. You can make your decision but they won't do anything.

[clarkmcc]

I work on the cloud security team for a Fortune 500 company. They won’t even consider a third party service that doesn’t provide a enterprise SSO/SAML integration with our auth provider. I suspect this is the more common approach for enterprise level companies given that at 40k+ employees it’s just not possible to manage employee auth across hundreds of services.

[mooreds]

They still used basic auth across all their apps?

[shadowbanned4]

No. They used Oauth. I wrote their entire Oauth system. And it was a nightmare reading through Oauth/OIDC specs for something that could be handled trivially with http basic auth.