This is a good point. Keeping it simple is always a good engineering choice.
I think one of the reasons JWTs come up so often is that if you are going to use OAuth2/OpenID Connect - ideally the Authorization Code grant, then tokens become an important component.
And many IdPs implement the OAuth2 access token as a JWT. So it may be that your IdP ends up making this choice for you. Then you have to learn how to deal with JWTs.
Thanks for the mention. We already do see quite a few Auth0 converts. I expect to gain a lot of new customers as a result of this merger in the coming months. No complaints here.
FusionAuth looks quite interesting. I'd like to see a comparison with AzureActiveDirectoy as well as in my last company we ended up sticking with it instead of migrating to auth0/octa/servicenow. Especially because Developer self-service works very well there. I couldn't find any details about this on your website.
To me, the about us page is one of the more difficult things to fake and can at least tell you whether the company is brand new or maybe owned by a big company or just a recent startup.
I have found out quite a few scams by looking at the about us page and researching the names on the page. Most everyone working in tech had some kind of digital trail that would take a lot of effort to fake.
If I get taken for a ride, I want to at least know who is going the driving.
> + Redhat seems quite invested in it, so it has corporate backing. This could also be a bad thing, depending on your view of Redhat and which direction they take the product.
Yes, true. :-) We'll see if IBM feels the same way.
I think @tremon is just getting at that auth must be considered critical, and thus you should maintain some level of skill and competency to ensure you don't get blindsided.
Perhaps the distinction is just because something isn't a "core competency" does not mean it is not critical. And just because it isn't a "core competency" doesn't mean you can afford to be ignorant on the topic.
That seems silly though. It is for this very reason you "dont roll your own crypto". _Because_ its critical, and _because_ others can handle it better when thats what they are focused on.
Actually I built a single sign on system for a Rails app and a WordPress site many years ago, based on Devise and probably (can't remember) some PHP code on WP. Probably also a Rails+phpBB SSO. They were meant to be short lived services and luckily they did. The reason is that in a mixed language / framework environment it's better to have some centralized authentication and authorization service and a standard API to access it. Having to write and maintain N adapters is going to take a toll on the development team. However I never self hosted a service like that so I don't want to give any suggestions about what to use.
I think one of the reasons JWTs come up so often is that if you are going to use OAuth2/OpenID Connect - ideally the Authorization Code grant, then tokens become an important component.
And many IdPs implement the OAuth2 access token as a JWT. So it may be that your IdP ends up making this choice for you. Then you have to learn how to deal with JWTs.