[djoldman]

> At ForgeRock, we had hundreds of security bugs in our OAuth implementation, and that was despite having 100s of thousands of automated tests run on every commit, threat modelling, top-flight SAST/DAST, and extremely careful security review by experts.

Wow. Anecdotally it's my understanding that OAuth is ... tricky ... but wow.

Some would say it's a dumpster fire. I've never read the spec or implemented it.

[jajko]

Hundreds of thousands of tests? That sounds like quantity > quality or outright llm-generated ones, who even maintains them?

[nmadden]

This was before LLMs. It was a combination of unit and end-to-end tests and tests written to comprehensively test every combination of parameters (eg test this security property holds for every single JWT algorithm we support etc). Also bear in mind that the product did a lot more than just OAuth.

[stuaxo]

The times I've been involved with implementations it's been really horrible.

[jofzar]

Oauth is so annoying, there is so much niche to it.

[bandoti]

Honestly, new code always has bugs though. That’s pretty much a guarantee—especially if it’s somewhat complex.

That’s why companies go for things that are “battle tested” like vibe coding. ;)

Joke aside—I like how Anthropic is using their own product in a pragmatic fashion. I’m wondering if they’ll use it for their MCP authentication API.