undefined | Better HN

0 pointsinferiorhuman6y ago0 comments

Oh god, at megacorp we implemented our own OAuth2 stack. Much sadness ensued.

0 comments

Been there, done that - wish it upon no one.

If anyone ever brings up the idea of building out oauth or even vaguely user management, I try to point them to at least try a POC (Proof of Concept) with https://www.keycloak.org/ (Apache 2.0 License) or https://www.gluu.org/ (MIT License) before they considering building.

corford6y ago

Another solution is OpenLDAP (or JumpCloud) at the root and then supporting software:

  OpenLDAP

   ├── PrivacyIDEA (TOTP/MFA with LDAP auth backend)  

   ├──---└──  SAML iDp (e.g. SimpleSAMLphp or Shibboleth) for SSO: AWS, Google, Github, Atlassian, Snowflake, Azure etc.

   ├── Dex (https://github.com/dexidp/dex) for anything that wants Oauth flow

   ├── Native LDAP for apps that support it (e.g. Metabase, Grafana)

   ├── Any other custom authT that supports LDAP as a backend

OpenLDAP itself isn't for the faint hearted but I've had a lot of success with JumpCloud (and Okta also have an LDAP directory service... though starting price is high).

pm906y ago

I don’t think anyone building a modern identity solution should base it on openldap. LDAP is amazing as an identity provider in a data center, but does not offer support for modern authentication methods like oath and oidc. As such, it’s not a very good base for creating your organizations identity.

I’m happy to be proven wrong about this. I love open standards and protocols.

2 more replies

j / k navigate · click thread line to collapse