← Back to context

Comment by cad

12 hours ago

Don't get me wrong but data shows that you will likely fail to keep that api key a as secret and you will also fail to revoke when it becomes necessary. You will definately not going to rotate it frequently as you should.

Good thing about the OAuth2/OIDC is these things will not put the trust on the bearer of the api key, but on actual identity that needs to have the access.

4 comments

cad

Reply
tasuki  11 hours ago

My data shows that zaptheimpaler has above average likelihood to keep their secret secret.

> Good thing about the OAuth2/OIDC is these things will not put the trust on the bearer of the api key, but on actual identity that needs to have the access.

And... you do not see the myriad of problems with that? What about the OIDC provider going rogue or getting compromised? How do you ensure whatever you use to authenticate with your OIDC isn't compromised? Many identity providers and identity bearers have terrible security practices. "Add a backup email in case you lose your 2FA. Nevermind it's the same email we use for password reset."

Again, I trust zaptheimpaler to keep their secret much better than this whole pretend security theater.

  • tossitawayplz  4 hours ago

    And I also trust myself to keep my secrets better than this whole pretend security theater too.

    I've never worked at an organization that handled their user's data/privacy/security even remotely close to how I handle my own and I wouldn't even consider myself all that paranoid. I have worked for some companies that really really should care too - there's just no incentive to really care and those in the org that try too do so will get ignored.

    The data breach letters I get in the mail a few times a year back me up on this.

zigzag312  10 hours ago

Can you share source of this data? I have my doubts about the quality of the data, since OAuth2 is such a complex system with so many footguns.

In the end there is always some long lived secret. What changes is just where and how it is stored, secured and used.

I bet we can generalize to say that data shows that you will likely fail to properly secure any secret (including the ones used in OAuth2).

EDIT: An example: https://news.ycombinator.com/item?id=37973937

cassianoleal  10 hours ago

> but on actual identity that needs to have the access.

Not quite. You shift the trust from the key bearer (the most interested party in all of this) to the identity provider.