| 9 Mar 2024 |
 raitobezarius | An interesting example of missing requirement in OIDC is the session management problem | 01:48:49 |
 hexa | For me personally federation is not a strong use case | 01:48:54 |
| hexa | not even for my workplace | 01:49:12 |
| raitobezarius | Sure, but, well, that's a completely valid usecase and there's others | 01:49:36 |
| hexa | the only reasonable deployment I've seen is for universities | 01:50:06 |
| raitobezarius | Well, governments or so-called dataspaces need this sort of stuff too | 01:50:21 |
| hexa | makes sense | 01:50:28 |
| raitobezarius | Even in the same organization, when there's multiple authorities with separated infrastructure, federation makes a bunch of political stuff easier | 01:50:53 |
| raitobezarius | Because you don't get to enforce / assert LDAP ownership | 01:51:04 |
| raitobezarius | First party native application login via OIDC is being removed in https://oauth.net/2.1/ | 01:51:34 |
| raitobezarius | Which means that you always have to pop up that web page when logging in via OIDC in any native app | 01:51:49 |
| raitobezarius | How to log out users in OIDC is very interesting (again a consequence of authorization protocol being used for auth) | 01:52:25 |
| raitobezarius | so there's this spec https://openid.net/specs/openid-connect-frontchannel-1_0.html | 01:52:29 |
| raitobezarius | which almost no one implement | 01:52:32 |
| raitobezarius | which means that for example if you login to circleci via github, log out from github, you are still logged in in circleci | 01:52:44 |
| raitobezarius | Auth0 who handles a lot of stuff for you has very fun documentation on it: https://auth0.com/docs/manage-users/sessions/session-layers#session-logout | 01:53:05 |
| raitobezarius | They have always 3 sessions to manage this sort of stuff | 01:53:15 |
| hexa | yeah, that is a can of worms, agreed | 01:53:25 |
| hexa | but does that really justify the added complexity for saml? | 01:53:42 |
| hexa | like why would you even say you prefer it? | 01:53:51 |
| hexa | your neither a government, nor a university, nor a global conglomerate | 01:54:06 |
| raitobezarius | (well I worked for :P) | 01:54:23 |
| raitobezarius | And honestly every time I tried to replicate certain setups with OIDC, it made me appreciate the thoughtfulness of the SAML design | 01:54:43 |
| hexa | pretty sure people go for saml for poltiical or structural reasons only | 01:54:52 |
| raitobezarius | Now, my position is more I wish there were Kanidm for SAML | 01:54:54 |
| raitobezarius | And I'd probably use more SAML in my infrastructure if I could do that | 01:55:06 |
| hexa | keycloak? 😛 | 01:55:16 |
| raitobezarius | Keycloak does not know how to implement SAML | 01:55:22 |
| hexa | who does though? 😄 | 01:55:36 |
| raitobezarius | don't tell me 'see?' :D | 01:55:37 |
