Comment by cedws
3 days ago
That’s funny. I spotted a similar issue in their Go SDK[1] a few years back. I was pretty appalled to see such a basic mistake from a security company, but then again it is Okta. [1]: https://github.com/okta/okta-sdk-golang/issues/306
Kind of funny that stalebots are the new "won't fix" methodology to ignore security issues with plausible deniability.
Yeah I got a kick out of that. "We might have fixed your issue, if we didn't, open a new one because we took so long acknowledging this one".
Or 3 years later: can you verify this is still needed.
Why on earth did I spend time in creating a reproducible example?
> I was pretty appalled to see such a basic mistake from a security company, but then again it is Okta.
Oh. Em. Gee.
Is this a common take on Okta? The article and comments suggest...maybe? That is frightening considering how many customers depend on Okta and Auth0.
We evaluated them a while ago but concluded it was amateur-hour all the way down. They seem to be one of those classic tech companies where 90% of resources go to sales/marketing, and engineering remains "minimum viable" hoping they get an exit before anyone notices.
I'm convinced Okta's entire business model is undercutting everyone with a worse product with worse engineering that checks more boxes on the feature page, knowing IT procurement people aren't technical and think more checkboxes means it's better.
1 reply →
When I was working at Auth0 the repeated phrase about the value of getting bought by Okta was that they had the best sales org in the industry. It was implied that this was why we were getting bought by them, instead of the reverse.
Among the reasons to leave my last job was a CISO and his minion who insisted spending $50k+ on Okta for their b2b customer and employee authentication was a bulletproof move.
When I brought it up, they said they didn't have anyone smart enough to host an identity solution.
They didn't have anyone smart enough to use Okta either. I had caught multiple dealbreakers-for-me such dubious / conflicting config settings resulting in exposures, actual outages caused by forced upgrades, not to mention their lackluster responses to bona fide incidents over the years.
I use Authentik for SSO in my homelab, fwiw.
Keycloak is a great authentication suite, not that hard to configure and rock solid.
Ill never understand this thinking.
4 replies →
Okta sucks balls. That's from my perspective as a poor sod who's responsible for some sliver of security at this S&P listed megacorp that makes its purchasing decisions based on golf partners.
Yeah, I have the misfortune of inheriting a SaaS that built on auth0, and the whole stack is rather clownish. But they tick all the regulatory boxes, so we're probably stuck with them (until they suffer a newsworthy breach, at any rate...)
> until they suffer a newsworthy breach, at any rate...
I suppose it has been a couple years since the last... [0]
[0] https://techcrunch.com/2023/11/29/okta-admits-hackers-access...
Okta and auth0 are, fundamentally, two distinct products – conceived, designed, and engineered by entirely separate entities.
auth0, as a product, distinguished itself with a modern, streamlined architecture and a commendable focus on developer experience. As an organisation, auth0 further cemented its reputation through the publication of a consistently high-calibre technical blog. Its content goes deeply into advanced subjects such as fine-grained API access control via OIDC scopes, RBAC, ABAC and LBAC models – a level of discourse rare amongst vendors in this space.
It was, therefore, something of a jolt – though in retrospect, not entirely unexpected – when Okta acquired auth0 in 2021. Whether this move was intended to subsume a superior product under the mediocrity of its own offering or to force a consolidation of the two remains speculative. As for the fate of the auth0 product itself, I must admit I am not in possession of definitive information – though history offers little comfort when innovation is placed under the heel of corporate, IPO driven strategy.
5 replies →
Yep. They're an Enterprise™ company. That means they prioritize features purchasing departments want, not functionality.
And when something doesn't work well like their super custom LDAP endpoint, talking to support is really painful.
We've recently moved to Auth0. I'm no security expert. Whats the recommended alternative that provides the same features and price, but without the risks suggested here?
https://goauthentik.io/#comparison
They have an enterprise version now (mostly for support and bleeding edge features that later make it into the open source product.)
It's pretty easy to self host. I have been doing it for a small site for years and I couldn't even get any other open source solution to work. They are mostly huge with less features.
2 replies →
Heya, I work for FusionAuth. We have a comparable product for many use cases.
Happy to chat (email in profile), or you can visit our comparison page[0] or detailed technical migration guide[1].
0: https://fusionauth.io/compare/fusionauth-vs-auth0
1: https://fusionauth.io/docs/lifecycle/migrate-users/provider-...
It's not the same as Auth0, but you might be interested in Zitadel, if only because it's open source and you can use it hosted or self-hosted.
(Disclaimer: I work for Zitadel).
It's not difficult to implement OAuth2. There are good libraries, and even the spec is not complicated. Or use AWS Cognito.
5 replies →
If you’re looking for b2b identity, I’m the founder of WorkOS and we power this for a bunch of apps. Feel free to email me, mg@workos.com
1 reply →
okta is the worst. Their support is the worst (we always got someone overseas who only seemed to understand anything, probably they were trained on some corpus) and would take forever to loop in anyone that could actually help.
Yea auth0 is an absolute clown show.