Comment by ethin
2 months ago
You have got to make a better website design. I'm a very curious person so was able to figure out what this was but you cannot expect all visitors of your website to be that way.
Also, stop charging for SSO/OAuth2 integration. Seriously. There's a huge list of services that stupidly charge for SSO/OAuth integration at https://sso.tax, and this list needs to get smaller, not grow. SSO doesn't cost anything to implement. Especially if I'm the one hosting it on my own infrastructure.
[exe.dev co-founder here] Hi. Re: oauth2, the last product I built, Tailscale, only did auth by oauth2. I chose this because 1. businesses need it anyway, and 2. passwords are terrible.
But it was a choice that does not come for free. I dread a page of buttons for third-party services, and the control I give them over my life. I hate that I never know if I should log in with GitHub, or Google, and for a dozen services I have multiple accounts because I got lost in the miasma of oauth2.
Still, it was better than passwords!
But since the last product I built, the world has changed. We have passkeys now. Which are superior in every way for individuals using a third-party service. You get better UX. You get better privacy. It is a fundamentally better technology.
I did not list SSO under teams because I want to "tax" people. I did it because SSO only makes sense for businesses, where an administrator controls accounts, and can delete yours when necessary. There, oauth2 is the best technology we have. But for individuals, it is a dead technology. I am reluctant to make everyone's exe.dev experience worse for legacy tech.
"We" don't have passkeys now. Many functional android devices are not being upgraded to the latest Android versions, and simply will never get true passkey support that isn't locked away inside of Google's vault.
Passwords are much better than the OAuth2 coolaid, and passwords will still be better as long as older devices can't support passkeys due to arbitrary restrictions.
Appreciate you not following Tailscale's authentication many SSO provider approach. It makes sense for teams/business, (Tailscale's customers) but creates some confusion and extra friction for casual homelab users like me. I have a note in 1Password for tailscale.com just titled "USE GITHUB AUTH".
Passkeys work great for me and I greatly prefer them. Exe.dev I think is the first service I've seen that's so passkey centric and it makes a lot of sense.
I don't see how Oauth2 is a legacy technology. It will never be until all of the problems of passkeys are solved. And I very much wouldn't just dismiss oauth2 as something only businesses have, because Oauth2 does have its uses where it can convey information a passkey cannot.
Great answer, thanks for following up with your reasoning.
The only people who care about SSO are large enterprises. Coincidentally, large enterprises also are the only customers that make SAAS profitable. Every other plan is part of the sales funnel to the big enterprise contracts.
> The only people who care about SSO are large enterprises.
I can't tell if this is sarcasm or not. I'm going to assume that it is, in fact, sarcasm. Because this is definitely untrue in reality.
Is this meant as sarcasm?
I run a bunch of services for friends and family, things like Immich, wallabag, mealie etc. Less than 10 users, but do you expect me to crate and maintain separate accounts for each one for every service?
The SSO tax is stupid. If your whole business model is based on putting SSO behind a paywall, it’s a sign of a broken business model.