[aatd86]

My point is that people mess up things as basic as salt and pepper, or encryption at rest. People are not even trying...

If we deal with the intricacies of rbac, abac, acl mixed with scopes ,sso, saml, oidc, mfa, etc... I don't find these too conceptually, complex.

I mean, it should be avoidable complexity. Most of the complexity is technical debt, bad implementations etc. But by itself it is not THAT complex.

[selfmodruntime]

No. OIDC and in general identity management + entitlements in a large business organization is complex because we need that complexity.

[aatd86]

We are speaking about incidental complexity vs. essential/inherent complexity. Inherent complexity is dealing with an XML format that is prone to vulnerabilities because people don't know how to parse properly or the protocol was badly spec'd back in the day in the case SAML for instance. Or ill-defined scopes, etc...

Having had the chance to try and implement libraries to interface with those systems a couple times, most people agree that implementations are far from perfect or streamlined. We call this incidental/accidental complexity.