| 9 Mar 2024 |
 hexa | so? | 01:37:30 |
| hexa | that is just stating facts, not requirements it misses | 01:37:53 |
 raitobezarius | First thing is that you want to build protocols on data formats that have certain properties, like normal forms, JSON does not have normal forms (except for JCS) to be clear and this is the source of a lot of issues when it comes to produce signatures (and hence the source of a lot of malleability issues. So the statut quo on SAML bugs vs OIDC bugs is similar in the sense both can suffer from malleability implementation issues w.r.t. to the canonical format.
Then, SAML possess a bunch of features that OIDC ecosystem still does not see, e.g. Federation. But, it does have a significant amount of RFC to introduce a lot of surface, which means that the SAML "weaknesses" are again present in OIDC ecosystem:
https://datatracker.ietf.org/doc/html/rfc7636 https://datatracker.ietf.org/doc/html/rfc6819 https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics https://datatracker.ietf.org/doc/html/rfc9068 https://datatracker.ietf.org/doc/html/rfc8252 https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps https://datatracker.ietf.org/doc/html/rfc8628 https://datatracker.ietf.org/doc/html/rfc8414 https://datatracker.ietf.org/doc/html/rfc8414 https://datatracker.ietf.org/doc/html/rfc7591 https://datatracker.ietf.org/doc/html/rfc7592 https://datatracker.ietf.org/doc/html/rfc9126 https://datatracker.ietf.org/doc/html/rfc8705 https://datatracker.ietf.org/doc/html/rfc9101 https://datatracker.ietf.org/doc/html/rfc7521 https://datatracker.ietf.org/doc/html/rfc7522 (this one is quite fun) https://datatracker.ietf.org/doc/html/rfc7636 https://datatracker.ietf.org/doc/html/rfc7009 https://datatracker.ietf.org/doc/html/rfc7662
And things like https://openid.net/specs/openid-federation-1_0.html are still at the draft phase | 01:46:25 |
| raitobezarius | There's even a longer list of RFCs in development by governement entities, financial institutions, all spawning off their own vision of OIDC | 01:47:31 |
| raitobezarius | Making this whole ecosystem even more complicated to deal with whereas SAML has provided solid "time tested" primitives (for those who implemented them correctly, I don't reject the arguments you provided on the actual in the wild implementation issues, but those are of the same flavor of XML deserialization bugs in Java tbh) | 01:48:31 |
| raitobezarius | An interesting example of missing requirement in OIDC is the session management problem | 01:48:49 |
| hexa | For me personally federation is not a strong use case | 01:48:54 |
| hexa | not even for my workplace | 01:49:12 |
| raitobezarius | Sure, but, well, that's a completely valid usecase and there's others | 01:49:36 |
| hexa | the only reasonable deployment I've seen is for universities | 01:50:06 |
| raitobezarius | Well, governments or so-called dataspaces need this sort of stuff too | 01:50:21 |
| hexa | makes sense | 01:50:28 |
