Hacker News new | ask | show | jobs
by egorfine 38 days ago
Because auth is a productivity tarpit. Anything plan on doing with auth looks simple but almost never is. Homegrown auth can easily sunk half of your dev and support teams.

Of course, we're not talking about email/password with "remember me" checkbox kind of auth.
1 comments
aatd86 38 days ago
I wonder if it is not people being notoriously lazy or clueless at an astonishing degree. How often do you hear that password were saved in plaintext? Surprisingly high in this day and age.

People not knowing what salt and pepper is... Vulnerabilities almost as if on purpose...

Perhaps it is actually not THAT hard but just like error handling, people don't want to do the unsexy parts and want to delegate those tasks to someone else perhaps. There must be a behavioral pattern there...

link
selfmodruntime 38 days ago
Your comment has a bit of an inexperienced smell. Business auth infinitely more complex than saving a user and salting/hashing his password.

> There must be a behavioral pattern there...

The pattern is that your comment is very far from reality.

link
aatd86 38 days ago
My point is that people mess up things as basic as salt and pepper, or encryption at rest. People are not even trying...

If we deal with the intricacies of rbac, abac, acl mixed with scopes ,sso, saml, oidc, mfa, etc... I don't find these too conceptually, complex.

I mean, it should be avoidable complexity. Most of the complexity is technical debt, bad implementations etc. But by itself it is not THAT complex.

link
selfmodruntime 36 days ago
No. OIDC and in general identity management + entitlements in a large business organization is complex because we need that complexity.
link
aatd86 30 days ago
We are speaking about incidental complexity vs. essential/inherent complexity. Inherent complexity is dealing with an XML format that is prone to vulnerabilities because people don't know how to parse properly or the protocol was badly spec'd back in the day in the case SAML for instance. Or ill-defined scopes, etc...

Having had the chance to try and implement libraries to interface with those systems a couple times, most people agree that implementations are far from perfect or streamlined. We call this incidental/accidental complexity.

link
egorfine 38 days ago
> want to delegate those tasks to someone else perhaps

And this someone's name begins with "Cla" and ends with "ude".

So we're going to have a lot more vulnerabilities in the auth code going forward.

link
aatd86 38 days ago
Apparently a mythos loop will mitigate that. /jk

We will see I guess... It could also be an opportunity to audit systems in automated ways.

link