HTTP basic auth, TLS with client certs.

dboreham · on Jan 4, 2024

Those things don't do what OIDC does?

shadowbanned4 · on Jan 4, 2024

They do them with much less complexity than OIDC.

krooj · on Jan 4, 2024

They absolutely do not and also introduce a significant amount of overhead with respect to key/certificate management.

chucke · on Jan 4, 2024

And security (basic auth is as good as sending clear text passwords).

Nextgrid · on Jan 4, 2024

> sending clear text passwords

Which is totally fine to do over HTTPS.

ustolemyname · on Jan 5, 2024

Passwords need to be sent both with the request, and to the requestor. I think GP is referring to sending credentials to the service making the request.

It is far better to give service XYZ a time-bound and scope limited token to perform a request than a user's username and password.

EthanHeilman · on Jan 4, 2024

Isn't Google moving toward phasing out TLS client certs in chrome/chromium?

jeroenhd · on Jan 4, 2024

Do you have any source for that? I can't find anything online about this, but that would effectively kill browser mTLS.

EthanHeilman · on Jan 5, 2024

Chromium removed support for generating TLS Client Certs within chrome in 2016 [0] and ever since then it has gotten harder and harder to use mTLS in Chrome/Chromium. Ten years ago it wasn't a great UX, but now it isn't even obvious how to use it. The impression I've gotten is that Chrome isn't interested mTLS.

[0]: https://groups.google.com/a/chromium.org/g/blink-dev/c/z_qEp...