Comment by rwmj 1 year ago My main takeaway from this is that web authentication is still a horrible mess. 18 comments rwmj Reply c0pium 1 year ago …because people don’t read the docs and instead just assume that it works how they think it should. Too 1 year ago Have you seen the oauth docs? I can’t imagine anyone having read and understood them fully, unless you dedicate your life to it. physicsguy 1 year ago Half of it I think is because people take "basic auth" offered by web framework, and then try to retrofit OAuth/OIDC/SSO on top of it. asylteltine 1 year ago If so many people are making the same mistakes, it’s your fault, not the users. wnevets 1 year ago Sounds like a classic footgun to me. c0pium 1 year ago If people don’t read, it’s their fault. Reading the docs is not a big ask. 6 replies → toasted-subs 1 year ago This is why login is a horrid mess. Because if it's too easy then people who don't know what they are doing set up websites. Dalewyn 1 year ago When some people ask why most of us sane and practical folks still use and demand simple password authentication, it's because passwords fucking work. lesuorac 1 year ago I'm still firmly in the mutual TLS camp. Nothing is easier then never having to type in a password and good luck cracking TLS. JohnFen 1 year ago So much this. OAuth and their ilk are, in my opinion, not trustable and suffer from real usability issues.
c0pium 1 year ago …because people don’t read the docs and instead just assume that it works how they think it should. Too 1 year ago Have you seen the oauth docs? I can’t imagine anyone having read and understood them fully, unless you dedicate your life to it. physicsguy 1 year ago Half of it I think is because people take "basic auth" offered by web framework, and then try to retrofit OAuth/OIDC/SSO on top of it. asylteltine 1 year ago If so many people are making the same mistakes, it’s your fault, not the users. wnevets 1 year ago Sounds like a classic footgun to me. c0pium 1 year ago If people don’t read, it’s their fault. Reading the docs is not a big ask. 6 replies → toasted-subs 1 year ago This is why login is a horrid mess. Because if it's too easy then people who don't know what they are doing set up websites.
Too 1 year ago Have you seen the oauth docs? I can’t imagine anyone having read and understood them fully, unless you dedicate your life to it.
physicsguy 1 year ago Half of it I think is because people take "basic auth" offered by web framework, and then try to retrofit OAuth/OIDC/SSO on top of it.
asylteltine 1 year ago If so many people are making the same mistakes, it’s your fault, not the users. wnevets 1 year ago Sounds like a classic footgun to me. c0pium 1 year ago If people don’t read, it’s their fault. Reading the docs is not a big ask. 6 replies →
c0pium 1 year ago If people don’t read, it’s their fault. Reading the docs is not a big ask. 6 replies →
toasted-subs 1 year ago This is why login is a horrid mess. Because if it's too easy then people who don't know what they are doing set up websites.
Dalewyn 1 year ago When some people ask why most of us sane and practical folks still use and demand simple password authentication, it's because passwords fucking work. lesuorac 1 year ago I'm still firmly in the mutual TLS camp. Nothing is easier then never having to type in a password and good luck cracking TLS. JohnFen 1 year ago So much this. OAuth and their ilk are, in my opinion, not trustable and suffer from real usability issues.
lesuorac 1 year ago I'm still firmly in the mutual TLS camp. Nothing is easier then never having to type in a password and good luck cracking TLS.
JohnFen 1 year ago So much this. OAuth and their ilk are, in my opinion, not trustable and suffer from real usability issues.
…because people don’t read the docs and instead just assume that it works how they think it should.
Have you seen the oauth docs? I can’t imagine anyone having read and understood them fully, unless you dedicate your life to it.
Half of it I think is because people take "basic auth" offered by web framework, and then try to retrofit OAuth/OIDC/SSO on top of it.
If so many people are making the same mistakes, it’s your fault, not the users.
Sounds like a classic footgun to me.
If people don’t read, it’s their fault. Reading the docs is not a big ask.
6 replies →
This is why login is a horrid mess. Because if it's too easy then people who don't know what they are doing set up websites.
When some people ask why most of us sane and practical folks still use and demand simple password authentication, it's because passwords fucking work.
I'm still firmly in the mutual TLS camp. Nothing is easier then never having to type in a password and good luck cracking TLS.
So much this. OAuth and their ilk are, in my opinion, not trustable and suffer from real usability issues.