Oauth and enterprise auth has to be the worst thing ever made, it might be the most confusing and frustrating part of dealing with the cloud. Even the AI tools took a year to just get basic Oauth working on headless systems without assuming you could open a browser. If they're going to go down the auth rabbit hole with RBAC/IAM/Workload identities?/service accounts and all the trash the big cloud providers have, I just hope to god they leave in the simple shit for personal use. I just want a damn API key, I keep it a secret and revoke if necessary and don't need 10000 layers of auth bullshit tangled up in every layer of every platform.
show comments
aeneas_ory
Author of Ory Hydra here! Very cool to see this blog post and technical description! I never would have thought this piece of software would secure the internet companies in the world :) Also great to see that the 2.x version performs so well for you! The CPU use is ridiculously small for that scale! We have a commercial variant that‘s even faster, if you ever run into trouble.
If anyone here is interested in providing their own oauth, IAM, rebac permissions, API keys, agent security - check out our open source & commercial products at https://github.com/ory and https://www.ory.com/
show comments
hmokiguess
I used to manage a self hosted instance of the identity server framework for dotnet that ran several billions of requests per month, my experience managing OAuth and OpenID Connect at that scale was that it was pretty much a solved problem with relatively low maintenance *(it was a critical core service at our org, with heavy compliance, but our team was maybe 3 people taking care of it? it is still up and well to this day)*
I could never understand why there were so much confusion spread around this protocol, almost every junior engineer I worked with would just struggle grasping it, I cannot recommend Scott Brady's blog enough on the topic https://www.scottbrady.io/ it was illuminating to me
I think there's an essential primitive "fear" whenever authN/Z is involved that creates friction for most engineers, they're used to problem solving and this fits within a pre-condition to your problem solving so there's a cognitive tax or something around it
CommonGuy
Cloudflare really likes to publish new projects, but improving them in the future is not really their style. Some examples:
- They launched Cloudflare Web Analytics in 2020, but it still does not support basic things such as UTM parameters or custom events
- With wrangler (their CLI), you still cannot undeploy a Cloudflare Page
show comments
utopiah
Classic Cloudflare, for all, works well, not too expensive... but, and consequently of all those positive attributes, positioning itself at the center of everything.
show comments
v5v3
"Ory Enterprise License: Unlock enterprise-grade features like security SLAs for CVEs, SAML, B2B organizations, multi-tenancy, and better scalability." [0]
Or just stick with KeyCloak that offers a full self hosted product... [1]
Not sure whats the play here, there is no world where this can turn out good. Cloudflare is more or less infrastructure provider, this idea of some user delegating permissions to their account to some third party client for infrastructure is ripe for abuses. If companies like AWS are not doing it then its for a good reason.
show comments
firasd
This is basically about OAuth for accessing a Cloudflare account, not a CF-hosted generic 'Login' type stuff for custom apps
I thought I understood what Oauth was (a standardized protocol to provide per-client access keys), but this article confuses me.
What's a "self-managed" Oauth here? What is access is being granted to, who are the clients, who are the partners...?
Anyone care to elaborate?
show comments
Avery29
OAuth is great when you actually need user delegation. For simple server-to-server API access, scoped keys with rotation, audit logs, and fast revocation are often a much better developer experience.
kjgkjhfkjf
I wish Cloudflare provided a paved path for user auth.
Better Auth seems to be the most common recommendation for Typescript applications, but there currently doesn't seem to be an official integration with Workers either from Better Auth or from Cloudflare.
I currently use Supabase to avoid having to set up my own user auth on Workers, but I would much prefer to use D1 etc.
show comments
Exoristos
You'd think implementing OAuth2 were splitting the atom the way so many dev teams won't even consider rolling their own or using the multiple well-tested free libraries.
miguelspizza
What’s ironic about this is they technically already shipped a looser version. The entire cf api is exposed as an MCP server which supports OAuth and dynamic client registration.
Not sure why they don’t just support DCR or CIMD for this too
khalic
Can't wait to have half the internet's auth sessions die because of an outage
asdf88990
Cloudflare turning into a Cloud platform is undoing what it was really doing well: making small clouds and diy hosting manageable in the hostile web environment.
Once their revenue from Cloud services overtakes their core offering, bye bye Cloudflare free and so on.
Title: Unlocking the Cloudflare app ecosystem with OAuth for all
rcarmo
Nice, but as usual if you want a 3-step “getting started” example you have to wade through the docs, and even then…
s_kazmi
I have shifted all my apps backend as much as possible to cloudflare.
Get my domains from it, all security stuff. hosting, etc
Love em., greatest tech company of all time. One stop shop.
littlecranky67
My pet peeve is the standard OpenID connect implementation of OAuth for SPAs - which will probably use the PKCE code flow. It is probably for historic reasons and old browser compat, but exposing access token and revocation token to javascript is IMHO just madness. In modern security flows you would save those tokens into cookies that are HttpOnly and SameSite=strict and prevent a myriad of JS based attack vectors.
xyzzy_plugh
This is such a weird blog post.
It's full of technical details, but I'm really not sure who they're for. There's nothing particularly novel or impressive. If anything the fact that it took them this long should be embarrassing. They pad it out with a table of stats that are just kind of meh? Congrats I guess for releasing something without burning the house down?
As an on-and-off customer of theirs I tried to quickly skim for some of the details that would impact me, the theoretical end-user, but the vast majority of TFA is just about how they pulled off this apparent feat of engineering.
I'm not trying to be pessimistic, and I don't fault the author (but I question the culture). I honestly don't get who this is for.
For the record this is something they should have had... at least six or seven years ago?
show comments
system2
I hope Cloudflare does not turn into Google, with so many different things that they will eventually kill all of these services randomly because of the maintenance cost.
show comments
iririririr
the end game: they will start requiring proof of id to access resources they host.
probably getting ahead of something the UK and some us states will require soon, as they already require from the sites behind cloudflare.
Oauth and enterprise auth has to be the worst thing ever made, it might be the most confusing and frustrating part of dealing with the cloud. Even the AI tools took a year to just get basic Oauth working on headless systems without assuming you could open a browser. If they're going to go down the auth rabbit hole with RBAC/IAM/Workload identities?/service accounts and all the trash the big cloud providers have, I just hope to god they leave in the simple shit for personal use. I just want a damn API key, I keep it a secret and revoke if necessary and don't need 10000 layers of auth bullshit tangled up in every layer of every platform.
Author of Ory Hydra here! Very cool to see this blog post and technical description! I never would have thought this piece of software would secure the internet companies in the world :) Also great to see that the 2.x version performs so well for you! The CPU use is ridiculously small for that scale! We have a commercial variant that‘s even faster, if you ever run into trouble.
If anyone here is interested in providing their own oauth, IAM, rebac permissions, API keys, agent security - check out our open source & commercial products at https://github.com/ory and https://www.ory.com/
I used to manage a self hosted instance of the identity server framework for dotnet that ran several billions of requests per month, my experience managing OAuth and OpenID Connect at that scale was that it was pretty much a solved problem with relatively low maintenance *(it was a critical core service at our org, with heavy compliance, but our team was maybe 3 people taking care of it? it is still up and well to this day)*
I could never understand why there were so much confusion spread around this protocol, almost every junior engineer I worked with would just struggle grasping it, I cannot recommend Scott Brady's blog enough on the topic https://www.scottbrady.io/ it was illuminating to me
I think there's an essential primitive "fear" whenever authN/Z is involved that creates friction for most engineers, they're used to problem solving and this fits within a pre-condition to your problem solving so there's a cognitive tax or something around it
Cloudflare really likes to publish new projects, but improving them in the future is not really their style. Some examples:
- They launched Cloudflare Web Analytics in 2020, but it still does not support basic things such as UTM parameters or custom events
- With wrangler (their CLI), you still cannot undeploy a Cloudflare Page
Classic Cloudflare, for all, works well, not too expensive... but, and consequently of all those positive attributes, positioning itself at the center of everything.
"Ory Enterprise License: Unlock enterprise-grade features like security SLAs for CVEs, SAML, B2B organizations, multi-tenancy, and better scalability." [0]
Or just stick with KeyCloak that offers a full self hosted product... [1]
[0]https://github.com/ory [1]https://www.keycloak.org/
Not sure whats the play here, there is no world where this can turn out good. Cloudflare is more or less infrastructure provider, this idea of some user delegating permissions to their account to some third party client for infrastructure is ripe for abuses. If companies like AWS are not doing it then its for a good reason.
This is basically about OAuth for accessing a Cloudflare account, not a CF-hosted generic 'Login' type stuff for custom apps
Good thing they're laying off more of their workforce to support these new products https://app.dealroom.co/news/feed/cloudflare-ceo-warns-ai-dr...
I thought I understood what Oauth was (a standardized protocol to provide per-client access keys), but this article confuses me.
What's a "self-managed" Oauth here? What is access is being granted to, who are the clients, who are the partners...?
Anyone care to elaborate?
OAuth is great when you actually need user delegation. For simple server-to-server API access, scoped keys with rotation, audit logs, and fast revocation are often a much better developer experience.
I wish Cloudflare provided a paved path for user auth.
Better Auth seems to be the most common recommendation for Typescript applications, but there currently doesn't seem to be an official integration with Workers either from Better Auth or from Cloudflare.
I currently use Supabase to avoid having to set up my own user auth on Workers, but I would much prefer to use D1 etc.
You'd think implementing OAuth2 were splitting the atom the way so many dev teams won't even consider rolling their own or using the multiple well-tested free libraries.
What’s ironic about this is they technically already shipped a looser version. The entire cf api is exposed as an MCP server which supports OAuth and dynamic client registration.
Not sure why they don’t just support DCR or CIMD for this too
Can't wait to have half the internet's auth sessions die because of an outage
Cloudflare turning into a Cloud platform is undoing what it was really doing well: making small clouds and diy hosting manageable in the hostile web environment.
Once their revenue from Cloud services overtakes their core offering, bye bye Cloudflare free and so on.
Cloudflare to cut about 20% of its workforce
https://news.ycombinator.com/item?id=48054423
Title: Unlocking the Cloudflare app ecosystem with OAuth for all
Nice, but as usual if you want a 3-step “getting started” example you have to wade through the docs, and even then…
I have shifted all my apps backend as much as possible to cloudflare. Get my domains from it, all security stuff. hosting, etc
Love em., greatest tech company of all time. One stop shop.
My pet peeve is the standard OpenID connect implementation of OAuth for SPAs - which will probably use the PKCE code flow. It is probably for historic reasons and old browser compat, but exposing access token and revocation token to javascript is IMHO just madness. In modern security flows you would save those tokens into cookies that are HttpOnly and SameSite=strict and prevent a myriad of JS based attack vectors.
This is such a weird blog post.
It's full of technical details, but I'm really not sure who they're for. There's nothing particularly novel or impressive. If anything the fact that it took them this long should be embarrassing. They pad it out with a table of stats that are just kind of meh? Congrats I guess for releasing something without burning the house down?
As an on-and-off customer of theirs I tried to quickly skim for some of the details that would impact me, the theoretical end-user, but the vast majority of TFA is just about how they pulled off this apparent feat of engineering.
I'm not trying to be pessimistic, and I don't fault the author (but I question the culture). I honestly don't get who this is for.
For the record this is something they should have had... at least six or seven years ago?
I hope Cloudflare does not turn into Google, with so many different things that they will eventually kill all of these services randomly because of the maintenance cost.
the end game: they will start requiring proof of id to access resources they host.
probably getting ahead of something the UK and some us states will require soon, as they already require from the sites behind cloudflare.