Cloudflare launched self-managed OAuth for all(blog.cloudflare.com)

123 pointsby terryds5 hours ago13 comments

zaptheimpaler3 hours ago
Oauth and enterprise auth has to be the worst thing ever made, it might be the most confusing and frustrating part of dealing with the cloud. Even the AI tools took a year to just get basic Oauth working on headless systems without assuming you could open a browser. If they're going to go down the auth rabbit hole with RBAC/IAM/Workload identities?/service accounts and all the trash the big cloud providers have, I just hope to god they leave in the simple shit for personal use. I just want a damn API key, I keep it a secret and revoke if necessary and don't need 10000 layers of auth bullshit tangled up in every layer of every platform.
- cad21 minutes ago
  Don't get me wrong but data shows that you will likely fail to keep that api key a as secret and you will also fail to revoke when it becomes necessary. You will definately not going to rotate it frequently as you should.
  Good thing about the OAuth2/OIDC is these things will not put the trust on the bearer of the api key, but on actual identity that needs to have the access.
- willtemperley3 hours ago
  What I don't understand is why OAuth is rarely talked about in a privacy context, however your OAuth provider knows all the sites you log into and when.
  It's a privacy nightmare.
  - vintermann2 hours ago
    Your OAuth provider can also vouch for anyone who pretends to be you, if they so desire. They can give access to anyone, including themselves.
  - spaghettifythis3 hours ago
    Though given most people use gmail or outlook, the two main oauth providers (Google and Microsoft) will know anyway
    willtemperley2 hours ago
    True they'd know which sites you've signed up to, but not the login times, unless the service emails you every time you log in.
  - userbinator2 hours ago
    Centralised identity is basically the government... and having some other entity behave the same way is not good.
- jofzaran hour ago
  We had a security report for a oauth vuln and it was the worst thing I have ever read, the whole thing is like spaghetti that "just works" until it doesn't because you feed it something similar.
  Never want to touch oauth, it's a fucked spec.
- jurgenaut233 hours ago
  I am tempted to agree with you because I could never quite wrap up my head around it, but I never had to implement OAuth beyond a brief skim through the doc for my own understanding. I always thought this complexity was there for some good reason (security?).
  - messe2 hours ago
    > was there for some good reason (security?).
    To cover the myriad of (sometimes downright stupid) requirements that large enterprises have.
  - iririririran hour ago
    far from it! it was just designed by comitee who both future proofed it and made sure it worked on low powered devices from 1971.
    i make a point to implement oauth from scratch, because using the overly complex libraries expose you to bugs such as attacker sending a token which the metadata just says "no encryption or signature. trust me bro", which is actually part of the spec if you combine some options.
    while in the real world, if google or apple sends you a token that is not always the same signature cypher (one of a dozen by the spec) you are better of threating as malicious, because it pretty much is. a manual implementation of a token consumer is about 20 lines... including downloading the provider keys and checking it (which most startups never do! allowing anyone to just sign a token as anyone)
sandeepkd4 hours ago
Not sure whats the play here, there is no world where this can turn out good. Cloudflare is more or less infrastructure provider, this idea of some user delegating permissions to their account to some third party client for infrastructure is ripe for abuses. If companies like AWS are not doing it then its for a good reason.
- ZiiSan hour ago
  AWS do exactly this. An example use-case is IAM can grant permission to update a Lambda to a Github action running in a given repository.
  - sandeepkdan hour ago
    Personally I dont like the way they do it, its hard to understand, if anything its convoluted.
    In case of AWS, you add Github as an IDP (OIDC provider) and associate a role to it.
    Github is now authenticating into AWS, scoped to the github repository where its configured and the AWS role it can assume
    Its not really a typical OAuth2 or OIDC flow. And yes its better than storing the keys.
    Github is not the OAuth client here.
- ok_dad4 hours ago
  Do you understand what OAuth is? It’s like an API key but less likely to be abused. This is a good thing. It helps security in many ways and makes security flows more safe than carrying around a token.
  - sandeepkdan hour ago
    I really feel sad about the state of security and its bit hard to unwrap in one paragraph which makes it more challenging. Let me try to be bit more verbose
    Cloudflare API Keys - You create them and then use those keys directly against cloudflare API's to manage services/infrastructure in your account. How you create the keys is may be a different kind of challenge.
    OAuth flow in discussion here - You are using a third party service (which registers themselves as a the client application with cloudflare), this service is going to prompt you for OAuth flow and redirect to Cloudflare, not (only) to authenticate you but it will get a access token on your behalf (your cloudflare account) from Cloudflare. Whatever this THIRD PARTY service uses this token for your behalf is going to incur infrastructure cost for your account.
    ok_dadan hour ago
    Yea and if you need to use that service then an API key does the same thing. People were giving these services the API keys which isn’t great. You can argue that third party services aren’t a good idea, but then why are you using cloudflare? I don’t understand why you think this is a security issue, if you don’t trust a third party service don’t use it. You have to approve the permissions, they don’t just steal them.
    Sorry if I was rude earlier but saying OAuth is some security flaw made me think that you didn’t understand what it was about; it’s just a way to grant permissions to a third party you trust. If you do then I’m curious why you think it’s flawed.
  - usr11063 hours ago
    Maybe he doesn't. And I know that I don't (at least not in depth). And that's the frightening thing here. Using a protocol that many don't understand for access to valuable resources
    ok_dad43 minutes ago
    OAuth is pretty simple, just read the spec.
    Your go to a third party web site. They send you to your OAuth provider, like cloudflare. Cloudflare asks you to login if you’re not logged in, then asks if you want to give that party certain permissions. You say yes or no and then click approve and then you get redirected back to the third party site. They get a secure token and can use that to access the services with permissions you approved. If you don’t trust the third party then don’t approve it.
    It is like an API key but you never have to touch it. The third party can encrypt it and store it securely and it never has to be copied and pasted. You can use this on backend services that need to access things too. I recently wrote an OAuth client for MCP servers for something I’m building (not gonna advertise here because that’s rude) and it’s very nice once you read the spec.
- codebje4 hours ago
  How different is this to, eg, the Google developer program, in which I can create a new OAuth client for Google users?
  - sandeepkd2 hours ago
    OAuth2, to be more precise, is a protocol which can be used both for authentication (verifying the user) and authorization (accessing resources on behalf of that user).
    Most people in CIAM (customer identity, individuals owing their account instead of representing a company) only interact with OAuth client for authentication. They do not give access of their google account to some THIRD PARTY COMPANY.
    smw26 minutes ago
    Sure they do. All the time! For example, if you want to use a script in Google Docs these days, you have to go through an oauth flow to give that script's app permission to do certain actions in your Docs.
utopiahan hour ago
Classic Cloudflare, for all, works well, not too expensive... but, and consequently of all those positive attributes, positioning itself at the center of everything.
- swyxan hour ago
  i mean. fair trade?
necovek3 hours ago
I thought I understood what Oauth was (a standardized protocol to provide per-client access keys), but this article confuses me.
What's a "self-managed" Oauth here? What is access is being granted to, who are the clients, who are the partners...?
Anyone care to elaborate?
- Groxx3 hours ago
  >Earlier this month, we announced self-managed OAuth, making it easier for customers to create and manage their own OAuth clients for delegated access to the Cloudflare API.
  They're letting you host an OAuth system to approve/deny access to your own resources, so you can build whatever logic you like, rather than waiting on them to allow you to do X under Y conditions. Essentially "log into CloudFlare" -> CF sees you're using this self-managed OAuth -> redirect to your OAuth -> CF trusts your response, and approves access to your account if you approve access.
Exoristosan hour ago
You'd think implementing OAuth2 were splitting the atom the way so many dev teams won't even consider rolling their own or using the multiple well-tested free libraries.
rcarmoan hour ago
Nice, but as usual if you want a 3-step “getting started” example you have to wade through the docs, and even then…
asdf889904 hours ago
Cloudflare turning into a Cloud platform is undoing what it was really doing well: making small clouds and diy hosting manageable in the hostile web environment.
Once their revenue from Cloud services overtakes their core offering, bye bye Cloudflare free and so on.
- rozenmd3 hours ago
  Cloudflare free is the business model: https://blog.cloudflare.com/cloudflares-commitment-to-free/
  - asdfsa322 hours ago
    If you carefully read the article, it just explain how it is an economic decision, and one which sooner or later will be no longer the case once they can capitalise on with anything above free, which is the lowest of the lowest bars.
    But even to entertain this is crazy, not because of decades of history of capitalist and market enterprise in general, but very specific cases of Technology Companies starting with these kind of feel good ideas and declaring "Don't be evil" or things like " access, safety, and shared prosperity" as their core ideals, turn into absolute panopticon and collaborate with unjust killing of women and children in less than a decade.
    The market isn't for free.
- reed12344 hours ago
  I doubt it. It’s cheap to run and a good funnel
- weird-eye-issue3 hours ago
  > Once their revenue from Cloud services overtakes their core offering, bye bye Cloudflare free and so on.
  Wait so what do you think their core offering is?
  - kordlessagain2 hours ago
    Man-in-the-middle everything.
  - asdfsa322 hours ago
    DDoS Protection?
    39975315782 hours ago
    [dead]
- NicoJuicyan hour ago
  You don't know Cloudflare?
  Their first products were production grade examples of the SDN that required a lot of bandwidth (DDOS/CDN).
  The cloud is a logical continuation.
  Their business was always the "internet", see their ticker => NET.
  Dev free is part of the marketing cost and would stay under the current leadership.
gnabgib5 hours ago
Title: Unlocking the Cloudflare app ecosystem with OAuth for all
fithisuxan hour ago
Cloudflare to cut about 20% of its workforce
https://news.ycombinator.com/item?id=48054423
iririririran hour ago
the end game: they will start requiring proof of id to access resources they host.
probably getting ahead of something the UK and some us states will require soon, as they already require from the sites behind cloudflare.
xyzzy_plugh4 hours ago
This is such a weird blog post.
It's full of technical details, but I'm really not sure who they're for. There's nothing particularly novel or impressive. If anything the fact that it took them this long should be embarrassing. They pad it out with a table of stats that are just kind of meh? Congrats I guess for releasing something without burning the house down?
As an on-and-off customer of theirs I tried to quickly skim for some of the details that would impact me, the theoretical end-user, but the vast majority of TFA is just about how they pulled off this apparent feat of engineering.
I'm not trying to be pessimistic, and I don't fault the author (but I question the culture). I honestly don't get who this is for.
For the record this is something they should have had... at least six or seven years ago?
- parsadotsh4 hours ago
  I for one appreciate them sharing this and found it a very interesting read. Many of us don't have experiences at companies at this scale and so it's nice whenever I get to read about what happens behind the scene.
  - xyzzy_plugh3 hours ago
    Usually I expect an eng blog post to be a recruitment vehicle, wherein the authors articulate a really hard problem they solved, or some novel approach they took, or the cool new open source project they released (for their future SaaS play).
    But this is so mundane it bothers me in a way I find surprising. It's more about how they made some questionable choices in the past and how they finally paid off that technical debt. Is it interesting? Perhaps I am just getting old and jaded.
    What I find odd is how light TFA is on actual details as to what it is they shipped.
    This is the kind of thing I'd ship internally to the org as part of a weekly update or something, but not what I'd expect on a public-facing corporate blog.
system23 hours ago
I hope Cloudflare does not turn into Google, with so many different things that they will eventually kill all of these services randomly because of the maintenance cost.
- holistio3 hours ago
  I still kind of think of Cloudflare as "big ass CDN".
  I can't keep track of all the new things they do. Something-something-R2? Maybe?
firasd10 minutes ago
[dead]