Heather Downing · Jul 21, 2022 · 8:38 PM UTC

Heather Downing

Heather Downing @quorralyne

21 Jul 2022

Why do you use SAML instead of OIDC?

160

Yann Crumeyrolle · Jul 22, 2022 · 2:51 PM UTC

Yann Crumeyrolle @ycrumeyrolle

22 Jul 2022

Because Facebook authentication is forbidden for financial application, Facebook use OIDC, so OIDC is forbidden. I had this argument few years ago.

GIF

Heather Downing · Jul 22, 2022 · 2:53 PM UTC

Heather Downing @quorralyne

22 Jul 2022

Wait... what? You don't have to use social auth at all.

Yann Crumeyrolle · Jul 22, 2022 · 3:09 PM UTC

Yann Crumeyrolle @ycrumeyrolle

22 Jul 2022

Same protocol, same risk (sic). And moreover OAuth2 is not secure because it require TLS. Happy to have fought all this false assertions , but we still have SAML when connecting to old SaaS.

Aaron Parecki · Jul 22, 2022 · 5:06 PM UTC

Aaron Parecki · Jul 22, 2022 · 5:06 PM UTC

Aaron Parecki @aaronpk

22 Jul 2022

Replying to @ycrumeyrolle @quorralyne

that's...wrong and also just a weird thing to say. There's also FAPI which is a secure profile of OAuth and OpenID Connect.

Jul 22, 2022 · 5:06 PM UTC

Yann Crumeyrolle · Jul 22, 2022 · 5:15 PM UTC

Yann Crumeyrolle @ycrumeyrolle

22 Jul 2022

Replying to @aaronpk @quorralyne

I agree, completely wrong, but so easy to to use for avoiding to move forward.