44 comments

[ 3.0 ms ] story [ 62.2 ms ] thread
That’s funny. I spotted a similar issue in their Go SDK[1] a few years back. I was pretty appalled to see such a basic mistake from a security company, but then again it is Okta. [1]: https://github.com/okta/okta-sdk-golang/issues/306
> I was pretty appalled to see such a basic mistake from a security company, but then again it is Okta.

Oh. Em. Gee.

Is this a common take on Okta? The article and comments suggest...maybe? That is frightening considering how many customers depend on Okta and Auth0.

Yea auth0 is an absolute clown show.
Honestly, I'm expressly not a big fan of outsourcing authentication/authorization.. . and even then, my personal list of trust is VERY limited. For the most part, I'll use Azure Entra (formerly Azure AD) and Windows AD only because of their entrenchment with other systems, and generally don't have much need to build more on top of what they already provide in the box.

That said, a lot of these things are very well documented... there are self-host systems and options both open-source, paid and combinations not to mention self-hosted options for both.

I've worked on auth systems used in banking and govt applications as well as integration with a number of platforms including Okta/Auth0. And while I can understand some of the appeal, it's just such a critical point of potential failure, I don't have that much trust in me.

I wish I could have open-sourced the auth platform I wrote a few years ago, as it is pretty simple in terms of both what it can do and how to setup/configure/integrate into applications. Most such systems are just excessively complex for very little reason with no reasonable easy path.

Kind of funny that stalebots are the new "won't fix" methodology to ignore security issues with plausible deniability.
"someone will look at this issue soon"

(3 years later...)

Security companies that prioritize bugs being sold rather than be reported will eventually blow up. Good luck Okta shareholders.
Unfortunately security is wayyyy down on the list of priorities for most large companies
I think GitHub should allow disabling PRs. I don't believe most big corporations are interested in dealing with fly-by contributions because it might make them look bad or be riddled with quality issues.

Also some projects like the Linux kernel are just mirrors and would be better off with that functionality disabled.

IANAL but unfortunately, I think the fix itself shown here might be too simple to actually clear the bar for copyright eligibility. (And in fairness to copyright law, it is basically the only sane way to fix this.) That means that there's probably not much you can really do, but I will say this looks fucking pathetic, Okta.
Okta is, if you may excuse my French, straight garbage.
The fact that they have a "stay signed in" checkbox that doesn't keep me signed in tells me all I need to know about these jokers. I love going through a bloated login process multiple times a day, apparently.
Honestly when I saw Okta in the headline, I had assumed the article was going to say they were breached again.

This one is amusing, and as another comment mentioned below, large companies are awful at accepting patches on github. Most use one-way sync tools to push from their internal repositories to github.

Is there any non shite managed oAuth solution with a free tier available?

Auth0 really is super easy and comfortable to integrate and I don‘t want to run my own keycloak or whatever.

I LOVE LLMs as a learning tool. I HATE LLMs as a communication tool. I know, there are people with serious handicaps who benefit from LLMs in this area. If only I could talk to those people and not wade through all this other garbage.

Especially when the AI is being represented as a person, this to me is dishonest. Not to mention annoying, almost more-so than the number of different apps that think they are important enough to send me push notifications to fill out a survey (don’t even get me started).

I've been quite happy with FusionAuth so far. Free to run on your own server, easy to understand and set up, easy to program against, reliable.
I think it is distasteful and disrespectful to call out an employee by name in this way, regardless of the merit of the rest of the OP's post.
How can it ever be disrespectful to publish truthful information about someone.

What does respect mean and how was it violated by this post?

I think you are far outside the mainstream of journalism norms and ethics and as such should bear the burden of explaining yourself further.

I think you're the one being disrespectful.

Absolutely agree with this. There could be many, many reasons out of the named person's control, and that the author is not aware of, as to why this happened. It comes off as petty and arrogant and honestly the same attitude I expect from most people on hackernews. Overall its disappointing. Respect each others privacy.
While I think the blog post is dramatic, I don't think the author did anything wrong by mentioning the name of the person he feels wronged by. The information is public and it's the only way for that individual to be held accountable by anyone who comes across the article.
FWIW, the employee reply (who the author is putting on blast) seems like it was written by a human, not an AI.

"You're absolutely right!" is the Claude cliche (not a ChatGPT one) - "You are absolutely correct." is not that.

I find it funny that this seemingly fictitious person Simen A. W. Olsen my@simen.io will forever be engraved as a co-author of a one-line change in the nextjs-auth0 repo.
That maintainer seems clueless
I'm currently building on the Auth0 SaaStarter because it seemed to be the only option in the market for something with all the core features enterprises are looking for. Is there an alternative that doesn't require building from scratch?
(comment deleted)
(comment deleted)
Okta requiring to create a video for a pretty obvious vulnerability shows that Okta does not take security seriously, contrary to what they say at their earnings calls. Sounds like deceiving their investors.
(comment deleted)
Don't outsource SSO to any IdMaaS. It's too critical. And especially not to Okta.