If anyone here is interested in providing their own oauth, IAM, rebac permissions, API keys, agent security - check out our open source & commercial products at https://github.com/ory and https://www.ory.com/
- They launched Cloudflare Web Analytics in 2020, but it still does not support basic things such as UTM parameters or custom events
- With wrangler (their CLI), you still cannot undeploy a Cloudflare Page
Or just stick with KeyCloak that offers a full self hosted product... [1]
Yes we have an commercial version because how else can one finance world class open source powering the biggest software names on the planet? It‘s a good thing that Ory has a business model that works, not a bad thing. And by the way, IBM finds ways to charge you for KeyCloak too ;)
Looked at the case study, uses Cockroach which is now commercial, so potentially with the dual costs of Ory and Cockroach licenses, unless you need massive scale, would be too expensive for small/medium and also startups? Unless your sole focus is on enterprises?
And Keycloak also has such a implementation https://www.cockroachlabs.com/blog/deploying-keycloak-on-coc...
Iirc Argo and some other routing products are quite expensive.
In case of AWS, you add Github as an IDP (OIDC provider) and associate a role to it.
Github is now authenticating into AWS, scoped to the github repository where its configured and the AWS role it can assume
Its not really a typical OAuth2 or OIDC flow. And yes its better than storing the keys.
Github is not the OAuth client here.
Cloudflare API Keys - You create them and then use those keys directly against cloudflare API's to manage services/infrastructure in your account. How you create the keys is may be a different kind of challenge.
OAuth flow in discussion here - You are using a third party service (which registers themselves as a the client application with cloudflare), this service is going to prompt you for OAuth flow and redirect to Cloudflare, not (only) to authenticate you but it will get a access token on your behalf (your cloudflare account) from Cloudflare. Whatever this THIRD PARTY service uses this token for your behalf is going to incur infrastructure cost for your account.
Sorry if I was rude earlier but saying OAuth is some security flaw made me think that you didn’t understand what it was about; it’s just a way to grant permissions to a third party you trust. If you do then I’m curious why you think it’s flawed.
Your go to a third party web site. They send you to your OAuth provider, like cloudflare. Cloudflare asks you to login if you’re not logged in, then asks if you want to give that party certain permissions. You say yes or no and then click approve and then you get redirected back to the third party site. They get a secure token and can use that to access the services with permissions you approved. If you don’t trust the third party then don’t approve it.
It is like an API key but you never have to touch it. The third party can encrypt it and store it securely and it never has to be copied and pasted. You can use this on backend services that need to access things too. I recently wrote an OAuth client for MCP servers for something I’m building (not gonna advertise here because that’s rude) and it’s very nice once you read the spec.
Most people in CIAM (customer identity, individuals owing their account instead of representing a company) only interact with OAuth client for authentication. They do not give access of their google account to some THIRD PARTY COMPANY.
Love em., greatest tech company of all time. One stop shop.
What's a "self-managed" Oauth here? What is access is being granted to, who are the clients, who are the partners...?
Anyone care to elaborate?
They're letting you host an OAuth system to approve/deny access to your own resources, so you can build whatever logic you like, rather than waiting on them to allow you to do X under Y conditions. Essentially "log into CloudFlare" -> CF sees you're using this self-managed OAuth -> redirect to your OAuth -> CF trusts your response, and approves access to your account if you approve access.
Better Auth seems to be the most common recommendation for Typescript applications, but there currently doesn't seem to be an official integration with Workers either from Better Auth or from Cloudflare.
I currently use Supabase to avoid having to set up my own user auth on Workers, but I would much prefer to use D1 etc.
I find Lucia Auth’s approach more useful in the long run – you have some boilerplate living on your codebase but you own it completely and it doesn’t try to make decisions for you: https://lucia-auth.com/
---
That said, why don’t you use Better Auth with Drizzle and the D1 adapter?
https://github.com/rorz/manual.email/blob/main/packages/db/s...
Not sure why they don’t just support DCR or CIMD for this too
Once their revenue from Cloud services overtakes their core offering, bye bye Cloudflare free and so on.
But even to entertain this is crazy, not because of decades of history of capitalist and market enterprise in general, but very specific cases of Technology Companies starting with these kind of feel good ideas and declaring "Don't be evil" or things like " access, safety, and shared prosperity" as their core ideals, turn into absolute panopticon and collaborate with unjust killing of women and children in less than a decade.
The market isn't for free.
Wait so what do you think their core offering is?
Their first products were production grade examples of the SDN that required a lot of bandwidth (DDOS/CDN).
The cloud is a logical continuation.
Their business was always the "internet", see their ticker => NET.
Dev free is part of the marketing cost and would stay under the current leadership.
probably getting ahead of something the UK and some us states will require soon, as they already require from the sites behind cloudflare.
It's full of technical details, but I'm really not sure who they're for. There's nothing particularly novel or impressive. If anything the fact that it took them this long should be embarrassing. They pad it out with a table of stats that are just kind of meh? Congrats I guess for releasing something without burning the house down?
As an on-and-off customer of theirs I tried to quickly skim for some of the details that would impact me, the theoretical end-user, but the vast majority of TFA is just about how they pulled off this apparent feat of engineering.
I'm not trying to be pessimistic, and I don't fault the author (but I question the culture). I honestly don't get who this is for.
For the record this is something they should have had... at least six or seven years ago?
But this is so mundane it bothers me in a way I find surprising. It's more about how they made some questionable choices in the past and how they finally paid off that technical debt. Is it interesting? Perhaps I am just getting old and jaded.
What I find odd is how light TFA is on actual details as to what it is they shipped.
This is the kind of thing I'd ship internally to the org as part of a weekly update or something, but not what I'd expect on a public-facing corporate blog.
It's a privacy nightmare.
(Apple login is in nearly every iOS app and most websites)
For API Keys we just launched Ory Talos (https://github.com/ory/talos) - a perfect alternative for when OAuth2 is too much for the use case.
There are use cases and security concerns that legitimize using OAuth2 - with specs like DPoP you can make these flows more secure. In my view the use cases presented here is a good one for OAuth2, but it certainly doesn’t make sense everywhere - complexity makes system harder to secure.
Good thing about the OAuth2/OIDC is these things will not put the trust on the bearer of the api key, but on actual identity that needs to have the access.
> Good thing about the OAuth2/OIDC is these things will not put the trust on the bearer of the api key, but on actual identity that needs to have the access.
And... you do not see the myriad of problems with that? What about the OIDC provider going rogue or getting compromised? How do you ensure whatever you use to authenticate with your OIDC isn't compromised? Many identity providers and identity bearers have terrible security practices. "Add a backup email in case you lose your 2FA. Nevermind it's the same email we use for password reset."
Again, I trust zaptheimpaler to keep their secret much better than this whole pretend security theater.
In the end there is always some long lived secret. What changes is just where and how it is stored, secured and used.
I bet we can generalize to say that data shows that you will likely fail to properly secure any secret (including the ones used in OAuth2).
EDIT: An example: https://news.ycombinator.com/item?id=37973937
Not quite. You shift the trust from the key bearer (the most interested party in all of this) to the identity provider.
Tailscale’s implementation of OIDC is nice: https://tailscale.com/docs/integrations/identity/custom-oidc
But all that only makes sense if you own a domain name.
Never want to touch oauth, it's a fucked spec.
Then implement that on your app... You are just generating a random key and storing a hash + salt.
Auth is hard only applies to auth for many users. For your own auth this is dead simple and made even simpler if you use a half decent framework...
If you are really worried about the implementation being insecure throw one of the many moderately frontier models at it, they are really not bad at finding issues in an auth system that simple.
I think that most of the "just give me an API key" comments are from a <1% of end-users (developers) that know what an API key is, and are facing a broken OAuth implementation.
It's just design by committee.
To cover the myriad of (sometimes downright stupid) requirements that large enterprises have.
i make a point to implement oauth from scratch, because using the overly complex libraries expose you to bugs such as attacker sending a token which the metadata just says "no encryption or signature. trust me bro", which is actually part of the spec if you combine some options.
while in the real world, if google or apple sends you a token that is not always the same signature cypher (one of a dozen by the spec) you are better of threating as malicious, because it pretty much is. a manual implementation of a token consumer is about 20 lines... including downloading the provider keys and checking it (which most startups never do! allowing anyone to just sign a token as anyone)
I agree that it is too complex though and app to app auth is certainly not a focus. I often still use static common secrets and see no problem with that.
I hate for apps needing to save passwords themselves, even if we have good tools today and the standard bcrypt call is reasonably safe. But then you need to reimplement password reset flows and all that ugly shit. Having that centralised is often
I would recommend self-hosting an OIDC service for that matter. The control you get also allows you to easily comply with some laws like GDPR and cousins, because you need to just purge a user in a single system.
Otherwise I thoroughly feel the frustration with IAM and the big providers. Ain't nobody got time for that and it is never a good and efficient solution.
Seconded. It is fairly easy to set up, and so much easier than the cloud IAM things.
The only catch is, make sure you have some backup access to your OIDC provider in case it goes down. E.g. don’t host it on a server with SSH only accessible through VPN that is authorised using your OIDC provider, etc.
One good thing GitHub Copilot has it that you can just give it a GH_TOKEN that is valid for 6 months and stop this browser login nonsense.