The Microsoft ones feel broken, buggy, and bloated with decades of crap. I guess there are some people using those weird edge features, but if you don’t, the Google stuff works way better.
I just hate being flagged for rubbish in Vanta that is going to cause us the most minor possible issue with our clients because there’s a slight risk they might not be able to access the site for a couple of hours.
The thing about OAuth is that it’s really very simple. You just have to grasp a lot of very complicated details (that nobody explains) first before it becomes simple.
For me, it really helped to read the Microsoft pages[1] on OAuth 2.0 which has some nice illustrative flow charts, and then go back to the RFCs.
That said, there's a lot of details that are non-trivial, especially since in many cases you actually have to deal with OIDC[2] which builds on OAuth 2.0, and so then you're suddenly dealing with JWKs and whatnot in addition.
I remember building oauth logins back when “login with your twitter” was a brand new revolutionary idea, before there were libraries to handle the details.
Still have scars from building directly based off the blogposts Twitter and Facebook engineers wrote about how to integrate with this. Think it wasn’t even a standard yet.
I credit that painful experience with now feeling like OAuth is really quite simple. V2 cleaned it up a lot
It doesn’t seem that way on the surface. But once your finished with out of band callback validation, localhost, refresh tokens, and PKCE, you realize what a monster OAuth 2 actually is.
Ouch, reminds me of hours debugging OAuth2 implementation in my Surface 1 app for Twitter because the nonce or some other checksum was not calculated correctly.
I think the reason a lot of people struggle is because they start with OAuth from a consumer perspective, that is, they are the third party requesting data, and their OAuth implementation is imposed by the resource holder, so they have to jump through a lot of hoops that don't have a clear reason for being.
If you start with OAuth from the perspective of a Service Provider/resource holder, it will all come clear.
Web security is often like that as well, most people facing stuff like CORS or HTTPS, is usually not because they are trying to solve a security issue, but it's because an upstream provider is forcing them to increase their security standards in order to be trusted with their user's data.
For Oauth I'd like to borrow what I would describe humbly as a better analogy, and it comes from Douglas Crockford, and so adapting it from him commenting on Monads in Functional Programming, it goes something like this:
"OAuth is a simple idea, but with a curse: once you understand it, you lose the ability to explain it."
This seems to me like the few booms I’ve seen before. Absolutely crazy valuations with very little behind them, massive hype, everyone’s unemployed uncle suddenly becoming a shallow expert. It’s probably going to end the same way too, once the upward momentum dissipates and things start to retreat to “fundamentals”, we’ll find out that there were a lot fewer solid points in the market than we were all told to expect, so the fundamentals are actually pretty far down. After 5 to 10 years of regrouping, a more mature and solid version will come about and become such a normal part of life we barely even remember what it was like without it.
We are well on our way to the popping of inflated expectations.
Currently people are taking AI hype too seriously and extrapolating its success out in such a way as to discount the value of other businesses.
Example - last week a bunch of trucking stocks crashed 10-20% because a $6M company that pivoted from Karaoke to AI demoed something.
This is just insane. Sure, if say Waymo is pivoting into commercial trucking.. maybe. But people are basically shorting minutemaid lemonade because their neighbors kids opened up a lemonade stand. Demos are easy, products are hard.
I was required when I took (two) undergraduate psychology classes. Also, when I was in grad school I did a few, because they paid (I think) £5 per - which was, in the days of £1 Green King pints and no outside income, well worth pursuing.
I took 101 at San Jose State and had to participate in a study as part of the curriculum. It was pretty cool. I went to the NASA Ames research center and did a study of seeing how well people could predict an object being exactly on the side of them. It was small spheres that came at you then went out of view and you clicked a butten when you thought they were exactly on your side. The tech was the most interesting, 90's era VR run on a Silicon Graphics reality engine. We has Iris boxes in the computer art lab but this thing was a much bigger...
This is the kind of thing that anyone could have said at any time in history. Sure, it’s easier now to solve the kinds of problems that were hard a few years ago, but that just brings whole classes of previously “impossible” problems into the merely “hard” category. We’re just finding out what those are now, and if you can figure one out there’s money to be made.
Yep. Zed is the best. It’s in an optimum spot for me. It’s super snappy and has good implementation of vim keybindings for manual coding, and it has appropriate AI integration that does all the AI stuff I want without being in my face about how AI it all is.
reply