When I thought doing an episode about authentication would be a good idea, Marc Boorshtein was the first person who came to mind for me. Marc knows more about authentication than anyone I know, and he’s really good at talking about it in a coherent way. Marc is the CTO of Tremolo Security, he’s been doing authentication for more than 20 years, long before many of us even knew this whole identity and authentication thing was something we should care about.
The focus is on Single Sign On (SSO), specifically OpenID Connect, but the discussion covers a number of technologies, both old and new. I learned a lot form this discussion. I thought I had a grasp on how to best use authentication libraries, but it turned out I had holes in my knowledge.
Marc starts out the discussion with some history of authentication. It’s always been hard, it used to be a lot harder. The work Microsoft did with Windows authentication, based on Kerberos, was one of the fist SSO systems. There used to be authentication systems that needed an agent on the systems doing the authentication (which sounds very silly these days). Marc was here to help explain SSO, so we steered the conversation in that direction quickly.
The unavoidable authentication technologies everyone seems to be using these days is SAML and OpenID Connect. Fundamentally they are basically the same thing. Technically speaking that’s not true, but for most of us, they work the same. Only the authentication nerds really understand the differences. The episode covers more details, but it’s really not important for this post, and while they are very similar, it seems that OpenID Connect is starting to gain a little more edge.
The actual guidance
It should come as no surprise to anyone who has ever developed software, the single most important and easy to understand rule in the world of authentication is to never write your own authentication code. Unless this is something you do all day ever day, you will make mistakes, stupid mistakes. So find a library that can do this for you.
But just proclaiming “use a library” isn’t really good advice. Which library? Are they all the same? What do I need to do? What’s even real anymore! Marc did cover this thankfully. A lot of the frameworks and runtimes (Marc called these “containers” in the conversation), have authentication functionality built in. There are other libraries also, but by using the framework or runtime library, you know it’s something well supported and should just work (tm). A challenge with other libraries is it’s hard to know which libraries aren’t well supported or could even be end of life. By definition, if you’re not allowed to write your own authentication, you probably also don’t know how to easily figure out which libraries are the best supported.
One of the things I learned from the conversation I didn’t previously understand is how to do the whole “login with” page. This is when you see something like “Login with Google” or “Login with GitHub”. Marc called this the NASCAR login page (because you have a bunch of logos). Rather than trying to add all the services yourself and support the various differences you get from every possible authentication provider, you can use an authentication proxy. The idea here is you use something like Keycloak to host the “login with” site, so it’s up to Keycloak to support whatever oddities every services has. Then the application we’re writing only has to support Keycloak.
Passkeys and IDs
We of course chatted about passkeys for a little while, but there’s nothing new to learn from that discussion. Someday Marc can come back for the passkeys topic. It’s pretty big and moving really fast. The TL;DR is that passkeys are a great idea, but they have some challenges.
We also end up on the perpetual identity conversation of “how we identify people”, which will probably always be a hard problem (and has only been a hard problem). Even if everyone had a magic global ID, there would be problems. Discussing how to identify people is more a philosophical discussion than it is a tech discussion. This will probably always be true.
Wrapping up
One of the joys when talking ot an expert is even if you think you known enough about a topic, you’re going to learn something new. I’ve been in the security universe for a very long time, and I’ve done enough authentication that I feel like I know enough to make things work. Marc taught me a bunch of new things, some because there are better ways to do it (authentication proxy), some because I just didn’t totally grasp how something could work (How SAML can look like OIDC was news to me). One of the most interesting bits from the conversation is Marc’s suggestion that when you’re doing identity work, there’s a premium price that comes with such skill and knowledge.
Of course it’s easy to say the identity guy gets paid more, but it takes years or decades to become an identity expert :)