Comment on Single Sign in for Home Assistant now possible with OpenID
femtek@lemmy.blahaj.zone 2 months agoYou can self host the authentication outside of the Internet.
Comment on Single Sign in for Home Assistant now possible with OpenID
femtek@lemmy.blahaj.zone 2 months agoYou can self host the authentication outside of the Internet.
irotsoma@piefed.blahaj.zone 2 months ago
Problem is that the user has to be presented that webpage anf the results have to make their way back to teach component. If you have a bunch of microservices that aren’t user facing (whether internet or private network) then how do those services get the user data to do their things. Monolithic server applications are bad practice outside of extremely simple web apps if you want something scalable. So you still need a database of local users that the services can share privately. That means a built-in user database that is just linked to the SSO user by the service that is user facing. Otherwise, all micro-services have to authenticate separately with the user once every time the token expires. Which means lots of browser sessions somehow getting from a micro-service with no web front end to the user.
Anyway, just an example, but when a local user database is required anyway, then SSO is always addition development work and exerts possibly significant limitations on the application architecture. This is why it’s not commonly implemented at first. There needs to be better protocols that are open source and well tested. OIDC is my current favorite in many cases, but it has limitations like logging out or switching between users on the same browser is a pain. Most proprietary apps use proprietary solutions because of the limitations and they feel (often incorrectly) like it’s obfuscated enough to not be susceptible to attacks despite the simplicity. Doing SSO right is hard, so having to implement something from scratch isn’t feasible and when done is usually vulnerable.