Cloudflare launched self-managed OAuth for all

Posted by terryds 16 hours ago

Cloudflare launched self-managed OAuth for all(blog.cloudflare.com)

324 points | 138 commentspage 3

xyzzy_plugh 15 hours ago|

This is such a weird blog post.

It's full of technical details, but I'm really not sure who they're for. There's nothing particularly novel or impressive. If anything the fact that it took them this long should be embarrassing. They pad it out with a table of stats that are just kind of meh? Congrats I guess for releasing something without burning the house down?

As an on-and-off customer of theirs I tried to quickly skim for some of the details that would impact me, the theoretical end-user, but the vast majority of TFA is just about how they pulled off this apparent feat of engineering.

I'm not trying to be pessimistic, and I don't fault the author (but I question the culture). I honestly don't get who this is for.

For the record this is something they should have had... at least six or seven years ago?

parsadotsh 14 hours ago|

I for one appreciate them sharing this and found it a very interesting read. Many of us don't have experiences at companies at this scale and so it's nice whenever I get to read about what happens behind the scene.

xyzzy_plugh 14 hours ago||

Usually I expect an eng blog post to be a recruitment vehicle, wherein the authors articulate a really hard problem they solved, or some novel approach they took, or the cool new open source project they released (for their future SaaS play).

But this is so mundane it bothers me in a way I find surprising. It's more about how they made some questionable choices in the past and how they finally paid off that technical debt. Is it interesting? Perhaps I am just getting old and jaded.

What I find odd is how light TFA is on actual details as to what it is they shipped.

This is the kind of thing I'd ship internally to the org as part of a weekly update or something, but not what I'd expect on a public-facing corporate blog.

littlecranky67 9 hours ago||

My pet peeve is the standard OpenID connect implementation of OAuth for SPAs - which will probably use the PKCE code flow. It is probably for historic reasons and old browser compat, but exposing access token and revocation token to javascript is IMHO just madness. In modern security flows you would save those tokens into cookies that are HttpOnly and SameSite=strict and prevent a myriad of JS based attack vectors.

iririririr 12 hours ago||

the end game: they will start requiring proof of id to access resources they host.

probably getting ahead of something the UK and some us states will require soon, as they already require from the sites behind cloudflare.

system2 14 hours ago||

I hope Cloudflare does not turn into Google, with so many different things that they will eventually kill all of these services randomly because of the maintenance cost.

holistio 14 hours ago|

I still kind of think of Cloudflare as "big ass CDN".

I can't keep track of all the new things they do. Something-something-R2? Maybe?

isabellehue 5 hours ago||

[flagged]

aberrahmane_b 2 hours ago||

[flagged]

ALLTaken 6 hours ago||

[dead]

throwaway613746 4 hours ago||

[dead]

firasd 11 hours ago|

[dead]