[shadowbanned4]

HTTP basic auth, TLS with client certs.

[dboreham]

Those things don't do what OIDC does?

[shadowbanned4]

They do them with much less complexity than OIDC.

[krooj]

They absolutely do not and also introduce a significant amount of overhead with respect to key/certificate management.

[chucke]

And security (basic auth is as good as sending clear text passwords).

[Nextgrid]

> sending clear text passwords

Which is totally fine to do over HTTPS.

[ustolemyname]

Passwords need to be sent both with the request, and to the requestor. I think GP is referring to sending credentials to the service making the request.

It is far better to give service XYZ a time-bound and scope limited token to perform a request than a user's username and password.

[EthanHeilman]

Isn't Google moving toward phasing out TLS client certs in chrome/chromium?

[jeroenhd]

Do you have any source for that? I can't find anything online about this, but that would effectively kill browser mTLS.

[EthanHeilman]

Chromium removed support for generating TLS Client Certs within chrome in 2016 [0] and ever since then it has gotten harder and harder to use mTLS in Chrome/Chromium. Ten years ago it wasn't a great UX, but now it isn't even obvious how to use it. The impression I've gotten is that Chrome isn't interested mTLS.

[0]: https://groups.google.com/a/chromium.org/g/blink-dev/c/z_qEp...