Tokens, Please: Comparing OpenID Connect with Video Game “Papers, Please”
toddtee.shSurprise ending: a favorable review of OpenID. With the introduction of a dystopian video game and the description of confusing, tortuous rules, I never expected this to be a sub rosa advertisement for OpenID's simple, flexible, and versatile authentication!! So, tie me to the rack and poke me with the soft cushions.
if OpenID stops at embracing webauthn and making it a common login method, allowing people to use their own separate webauthn implementations, that's fantastic. they can make it easy mode for normal users, while letting companies and security conscious individuals use whatever webauthn client they want.
Those two are fundamentally/conceptually incompatible, aren't they? Webauthn is about user having ownership of their own identity (as proven by them holding the keypair(s)), while OpenID (and OpenID Connect) is about identity never being owned but always provided by a third party (even if this third party is technically the same person).
I'm not sure. I remember looking at OpenId when it was announced, and the rabbit hole I ran down made me think it was built on webauthn in some fashion, as a set of providers or something.
If that's not the case, that is very unfortunate. I veered into reading the webauthn spec for a bit then and found I largely liked what I found there.
Some complexity from trying to define how to handle people lugging around shareable keys on their phones and similar in the spec, but overall I liked it. I found it all very reasonable.
It’s not built on WebAuthn but it could work with it. WebAuthn is essentially just an alternative to typing in your password.
>WebAuthn is essentially just an alternative to typing in your password.
I had thought it was the key confirmation used by openid and that openid was more of an industry keying system backend and push for webauthn on websites. Apparently I need to reread it.
webauthn removes all secret information on the company side, making company password database breaches a thing of the past. "Oh no, you stole a public key specific to this website that you can't even use to log into the site you stole it from because you need the private key to do that"
> sub rosa
Been reading Gray Man books?
It's a normal word. https://en.wiktionary.org/wiki/sub_rosa
Interesting, never heard of this before.
A bit disappointed this wasn’t a new game where you play as an AI examining tokens to authenticate and authorize requests.
One thing to mention about this is the integration breaks when GitHub updates their SSL certificate and the thumbprint changes. It's a simple fix to update the thumbprint in AWS IAM, but something that bites you yearly. So if you can't get credentials about a month before November 7, 2023, check the thumbprint.