Heya, There was a recent post about authentication on Hacker News and someone commented about the evolution of authentication over the last 20 years, talking about the pendulum swinging back and forth between ‘roll your own’ and ‘use a vendor’. The comment author is a software architect, per their profile. I responded with a comment about my thoughts on
Safety. Rolling your own is risky, since bugs at login time are catastrophic... I may have misread your post, but that’s my top reason to recommend a vendor or established OSS. Secondary to that is, if there are vulnerabilities, whether local, unique ones are an advantage or not? Usually, for compliance, “keeping up with the Joneses” can be better than innovating.
Now, as for speed-running the 25-40 years it took for AuthN to get standardized for AuthZ permissions... Well, that’s what the community at AuthZ.substack.com is about. — thank you so much for your support!
A great point. I think there's a spectrum between rolling everything yourself and using a vendor or established OSS auth server. You can definitely incorporate or configure open source components as part of your authentication system. I don't talk to anyone who is rolling their own if they are starting today (the landscape is chock full of options). But over the past decade or two, plenty of folks have cobbled together their own auth systems for very successful applications.
Love the Authorization Clipping Service! Thanks for your time and efforts over there.
Safety. Rolling your own is risky, since bugs at login time are catastrophic... I may have misread your post, but that’s my top reason to recommend a vendor or established OSS. Secondary to that is, if there are vulnerabilities, whether local, unique ones are an advantage or not? Usually, for compliance, “keeping up with the Joneses” can be better than innovating.
Now, as for speed-running the 25-40 years it took for AuthN to get standardized for AuthZ permissions... Well, that’s what the community at AuthZ.substack.com is about. — thank you so much for your support!
A great point. I think there's a spectrum between rolling everything yourself and using a vendor or established OSS auth server. You can definitely incorporate or configure open source components as part of your authentication system. I don't talk to anyone who is rolling their own if they are starting today (the landscape is chock full of options). But over the past decade or two, plenty of folks have cobbled together their own auth systems for very successful applications.
Love the Authorization Clipping Service! Thanks for your time and efforts over there.