| 8 Mar 2024 |
 raitobezarius | i want to roast you but i will prevent myself | 17:11:28 |
| raitobezarius | yes not everyone does not do authentication over an authorization RFC | 17:11:38 |
 hexa | universities do | 17:11:41 |
| raitobezarius | i much prefer saml to oauth2 | 17:12:01 |
| raitobezarius | * i much prefer saml to oauth2/oidc | 17:12:06 |
| hexa | lol what | 17:12:14 |
| hexa | https://joonas.fi/2021/08/saml-is-insecure-by-design/ | 17:12:24 |
| hexa | https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5 | 17:13:08 |
| hexa | https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7 | 17:13:22 |
| hexa |
We should always guide people to use oauth2/oidc first, and then LDAP app passwords second, with SAML as an absolute last resort. If we end up in that situation, we may need to add it.
https://github.com/kanidm/kanidm/issues/2025#issue-1866005716
| 17:20:09 |
| hexa | don't trust me, trust firstyear 😄 | 17:20:14 |
| raitobezarius | i don't really do this sort of things, sorry | 17:59:12 |
| raitobezarius | In reply to @hexa:lossy.network
https://joonas.fi/2021/08/saml-is-insecure-by-design/ the link you mentioned conclude to the same thing though | 18:00:05 |
| raitobezarius | oauth2 is not an alternative | 18:00:08 |
| raitobezarius | so sure, i can just not use saml and use something that has not been built for authentication | 18:00:24 |
| raitobezarius | but yes I am very much well aware of all the XML malleability issues... :^). | 18:00:57 |
| raitobezarius | that doesn't change the fact there's no alternative to SAML and there's a sensible path to SAML implementation | 18:01:12 |
| raitobezarius | so maybe firstyear will expand his section on why SAML is bad and I hope it's not because people in the enterprise ecosystem doesn't know how to do canonical document formats | 18:02:01 |
| raitobezarius | because, if that's the argument, I hope people applies it to their own software. | 18:02:25 |
| 9 Mar 2024 |
| hexa | In reply to @raitobezarius:matrix.org
oauth2 is not an alternative right, saml is a concept that separate identity and service providers quite neatly, but why would you rule out oauth2? | 01:35:25 |
| raitobezarius | because OAuth2 is an authorization protocol | 01:36:41 |
| raitobezarius | OpenID Connect is an authentication mechanism on the top of it | 01:36:51 |
| hexa | so? | 01:37:30 |
| hexa | that is just stating facts, not requirements it misses | 01:37:53 |
| raitobezarius | First thing is that you want to build protocols on data formats that have certain properties, like normal forms, JSON does not have normal forms (except for JCS) to be clear and this is the source of a lot of issues when it comes to produce signatures (and hence the source of a lot of malleability issues. So the statut quo on SAML bugs vs OIDC bugs is similar in the sense both can suffer from malleability implementation issues w.r.t. to the canonical format.
Then, SAML possess a bunch of features that OIDC ecosystem still does not see, e.g. Federation. But, it does have a significant amount of RFC to introduce a lot of surface, which means that the SAML "weaknesses" are again present in OIDC ecosystem:
https://datatracker.ietf.org/doc/html/rfc7636 https://datatracker.ietf.org/doc/html/rfc6819 https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics https://datatracker.ietf.org/doc/html/rfc9068 https://datatracker.ietf.org/doc/html/rfc8252 https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps https://datatracker.ietf.org/doc/html/rfc8628 https://datatracker.ietf.org/doc/html/rfc8414 https://datatracker.ietf.org/doc/html/rfc8414 https://datatracker.ietf.org/doc/html/rfc7591 https://datatracker.ietf.org/doc/html/rfc7592 https://datatracker.ietf.org/doc/html/rfc9126 https://datatracker.ietf.org/doc/html/rfc8705 https://datatracker.ietf.org/doc/html/rfc9101 https://datatracker.ietf.org/doc/html/rfc7521 https://datatracker.ietf.org/doc/html/rfc7522 (this one is quite fun) https://datatracker.ietf.org/doc/html/rfc7636 https://datatracker.ietf.org/doc/html/rfc7009 https://datatracker.ietf.org/doc/html/rfc7662
And things like https://openid.net/specs/openid-federation-1_0.html are still at the draft phase | 01:46:25 |
| raitobezarius | There's even a longer list of RFCs in development by governement entities, financial institutions, all spawning off their own vision of OIDC | 01:47:31 |
| raitobezarius | Making this whole ecosystem even more complicated to deal with whereas SAML has provided solid "time tested" primitives (for those who implemented them correctly, I don't reject the arguments you provided on the actual in the wild implementation issues, but those are of the same flavor of XML deserialization bugs in Java tbh) | 01:48:31 |
| raitobezarius | An interesting example of missing requirement in OIDC is the session management problem | 01:48:49 |
| hexa | For me personally federation is not a strong use case | 01:48:54 |
| hexa | not even for my workplace | 01:49:12 |
