[Openid-specs-ab] "Nobody Cares About OAuth or OpenID Connect"...

Mike Schwartz mike at gluu.org
Thu Jan 24 07:31:54 UTC 2019

There is no IAM silver bullet--we are facing a range of security threats 
and transaction values, and thus a range of appropriate security 

Of course developers want easier. There's nothing wrong with that. I 
think Auth0 does a nice job here--offering the Auth0 API which (not 
telling developers to read a bunch of difficult-to-comprehend specs and 
profiles). It's also why Gluu introced the oxd middleware--to offer high 
level API's that do some of the heavy lifting for developers.

Of course we should strive to improve... that's essential. But a good 
plan today is better than a perfect plan tomorrow.

 From a marketing perspective, this community should be making a stronger 
case for the technology. You don't see the big data community or the AI 
community disparaging their technology stack in this manner. And likely 
those technologies are farther away from their end goals.

I remember a great ad for Sprint mobile phone service, back in the 90's. 
The ad said "It's a like a land-line... with a really long cord". 
Nothing was further from the truth. Cell phone service was abysmal. But 
from a marketing perspective, if Sprint said "Cell phone service sucks. 
You get lots of dropped calls. Your mom will sound like a robot. And 
it's expensive too!" ... it wouldn't have helped their cause. It's our 
job to put forward the positive, not to bolster the case of the 

I know the other side... I spend hours a day talking about federated 
identity and IAM with customers. Anything unfamiliar is complex. Long 
division must have seemed impossible in Roman times. It's our job to 
make the concepts more familiar.

Yes, we need to factor in the input along the way. But that's not the 
most immediate concern. We need to sell what we have.

- Mike

On 2019-01-24 07:58, Tom Jones wrote:
> Mike, I believe that you make a good point, but you are IMHO, not
> addressing the issue, making a secure oauth or oidc is incredibly
> difficult. I think the problem is rooted in the reason for their
> success. The specs are so flexible, to cover all of the many
> possibilities, that the capability of creating a secure standard, or a
> secure implementation, is not within the capability of most devs.
> FAPI tries to fix this problem, but IMHO fails to be sufficiently
> secure. Talking to some of the experts, like Justin, leads me to
> believe this state of insecurity is intentional. So, do you want more
> adopters or more security. You cannot have both. At least not in one
> spec.
> thx ..Tom (mobile)
> On Wed, Jan 23, 2019, 9:28 PM Mike Schwartz via Openid-specs-ab
> <openid-specs-ab at lists.openid.net wrote:
>> If Okta is blogging about this, clearly we as a community are not
>> doing
>> enough to explain the benefits and rationale of OpenID Connect...
>> Nobody Cares About OAuth or OpenID Connect
> https://developer.okta.com/blog/2019/01/23/nobody-cares-about-oauth-or-openid-connect
>> -----------
>> Michael Schwartz
>> Gluu
>> Founder / CEO
>> mike at gluu.org
>> https://www.linkedin.com/in/nynymike/
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list