Tokens, Please: Comparing OpenID Connect with Video Game “Papers, Please”

NoZebra120vClip 3 years ago |

Surprise ending: a favorable review of OpenID. With the introduction of a dystopian video game and the description of confusing, tortuous rules, I never expected this to be a sub rosa advertisement for OpenID's simple, flexible, and versatile authentication!! So, tie me to the rack and poke me with the soft cushions.

knome 3 years ago | |

if OpenID stops at embracing webauthn and making it a common login method, allowing people to use their own separate webauthn implementations, that's fantastic. they can make it easy mode for normal users, while letting companies and security conscious individuals use whatever webauthn client they want.

drdaeman 3 years ago | | |

Those two are fundamentally/conceptually incompatible, aren't they? Webauthn is about user having ownership of their own identity (as proven by them holding the keypair(s)), while OpenID (and OpenID Connect) is about identity never being owned but always provided by a third party (even if this third party is technically the same person).

knome 3 years ago | | |

I'm not sure. I remember looking at OpenId when it was announced, and the rabbit hole I ran down made me think it was built on webauthn in some fashion, as a set of providers or something.

If that's not the case, that is very unfortunate. I veered into reading the webauthn spec for a bit then and found I largely liked what I found there.

Some complexity from trying to define how to handle people lugging around shareable keys on their phones and similar in the spec, but overall I liked it. I found it all very reasonable.

a1445c8b 3 years ago | | |

It’s not built on WebAuthn but it could work with it. WebAuthn is essentially just an alternative to typing in your password.

knome 3 years ago | | |

>WebAuthn is essentially just an alternative to typing in your password.

I had thought it was the key confirmation used by openid and that openid was more of an industry keying system backend and push for webauthn on websites. Apparently I need to reread it.

webauthn removes all secret information on the company side, making company password database breaches a thing of the past. "Oh no, you stole a public key specific to this website that you can't even use to log into the site you stole it from because you need the private key to do that"

FPGAhacker 3 years ago | |

> sub rosa

Been reading Gray Man books?

thaumasiotes 3 years ago | | |

It's a normal word. https://en.wiktionary.org/wiki/sub_rosa

Semaphor 3 years ago | | |

Interesting, never heard of this before.

xwdv 3 years ago |

A bit disappointed this wasn’t a new game where you play as an AI examining tokens to authenticate and authorize requests.

perpil 3 years ago |

One thing to mention about this is the integration breaks when GitHub updates their SSL certificate and the thumbprint changes. It's a simple fix to update the thumbprint in AWS IAM, but something that bites you yearly. So if you can't get credentials about a month before November 7, 2023, check the thumbprint.