Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
securecookie
Discontinued Package gorilla/securecookie encodes and decodes authenticated and optionally encrypted cookie values for Go web applications.
-
Ory Kratos
Next-gen identity server replacing your Auth0, Okta, Firebase with hardened security and PassKeys, SMS, OIDC, Social Sign In, MFA, FIDO, TOTP and OTP, WebAuthn, passwordless and much more. Golang, headless, API-first. Available as a worry-free SaaS with the fairest pricing on the market! (by ory)
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
I'm considering something similar for protecting some simple ML serving API endpoints. Just put a proxy in between.
Something like
https://github.com/gogatekeeper/gatekeeper/blob/master/docs/...
It's no problem to set up Django, but I don't want to have to separately protect all public endpoints.
https://docs.clerk.dev/integrations/hasura
In general, we're pushing for more use of short-lived JWTs to sync identities between trusted parties instead of OAuth. We think this is preferable because it can keep sessions synced, while OAuth tends to result in independent sessions.
Admittedly, we do not run an OpenID Connect server on behalf of our customers yet. This is on our roadmap and will be added soon, and there are definitely some services that we can't offer first-class integrations with until that happens.
Your other point about "every language has an OAuth framework" is well-taken. Our initial launch used something proprietary and this was an issue, but we recently switched to spec-compliant JWTs to benefit more from existing libraries. Here's an example of our current, standard token:
https://jwt.io/#token=eyJhbGciOiJSUzI1NiIsImtpZCI6Imluc18xcn...
Sign it as well!
For instance: https://github.com/gorilla/securecookie
Using OAuth2 for solving first party sign in is such a pain. Synchronizing refresh token requests, storing sessions on top of your access token, going through a consent grant, making sure you use the right flow (implicit is out? auth code? with pkce? without?)
There is some really good open source software emerging like https://github.com/ory/kratos which have APIs for native app flows, single page apps, server side apps and don’t rely on protocols intended for completely different things.
Is it really worth investing in OAuth2 these days just because Auth0 pours millions in marketing? I highly question it…
I leave that the the module, I believe it uses client cookies by default, but I use a persistent server cache on disk (the session tokens are stored encrypted)
https://github.com/zmartzone/mod_auth_openidc/wiki/Session-m...