Comment by shermantanktop
19 hours ago
If you don’t “roll your own,” you must choose from what other people have created. And in this space, there are a bewildering array of options, each of which carries some new pile of abstractions that make some things easy and other things hard.
Many eyes are supposed to make bugs shallow. In the webdev space, many eyes on something like React lead to numerous opinionated alternatives, each successful enough to warrant consideration. This doesn’t seem to be slowing down, either.
Meanwhile, vanilla HTML and DOM capabilities have never been stronger.
so much this. tried to implement oauth recently.
all providers only document their bloat-spyware-buggy javascript that creates a button and handles all in the client.
then using libraries you are open to attacks in one hundred ways because those implement all the unrealistic things in the spec (including overriding issuer and setting crypto to nothing, via attacker controlled fields). after two days of evaluating i just gave up and wrote my own, server side and handling the singular case everyone uses. 20 lines, which was less then adopting the libraries.