DEV Community

loading...

Discussion on: OAuth Tips for the Uninitiated

Collapse
antonfrattaroli profile image
Anton Frattaroli Author

In regards to the arguments in the article, it could have just as easily been titled "The dangers of SAML/Social Login".

There are a lot of parts that don't need to be coupled in the way the prepackaged identity/OAuth solutions provided by social media companies do. For example, you could use Facebook as an identity provider for your own SSO service be it using OAuth or SAML.

That example doesn't address the issues you've pointed out, but conflating social logins with OAuth in general would be counter-productive.

Collapse
mortoray profile image
edA‑qa mort‑ora‑y

Yes, the article is about social login. I have yet to see a situation where an OAuth is not some other website however -- do people use internal company OAuth providers?

Thread Thread
antonfrattaroli profile image
Anton Frattaroli Author

Yeah, using them is a monotonous task of configuring identity providers and service providers, and the SSO protocols become abstracted away and lines get blurred.

I feel like there are a lot more on-premises offerings than there had been in just the last few years. Maybe the OpenID Connect specification helped?

One solution is to validate tokens at the load balancer, to offload validation from the applications. In mid-2017 F5 added an OAuth provider to their application launcher software and I wonder if it was to address that specifically.