I am annoyed at doing auth over and over, when it's other people's software. The promise of the container revolution was that cross-cutting concerns would be handled by the infrastructure / orchestrator, and applications wouldn't have to care about details like authentication, monitoring, logging, etc. None of that really materialized, though. The actual running/scheduling of workloads is currently in a great state, but the cross-cutting concerns are pretty awful. Or actually, they're good, but very much "bring your own". I use managed Kubernetes, but it doesn't give me managed monitoring, managed logging, managed authentication, etc. (Cloud providers sell that, but you have to do all the integration work. Some random Go binary you download won't accept Identity Aware Proxy JWTs and send your metrics to Stackdriver. You have to make that all work yourself.)
I've run into the situation at least twice where some app has bought into that mindset and made auth an external factor (don't send HTTP requests unless the user is authorized), and found that there was pretty much nothing good to provide that feature. So... I wrote my own thing both times, and am loving it. (You could use it too! But I wouldn't necessarily recommend it: https://github.com/jrockway/jsso2) I never have to think about auth again.
Having also done the infrastructure and library work to get Prometheus/Grafana/Jaeger/Loki doing what I want (https://github.com/jrockway/opinionated-server), I am almost happy with the remaining cross-cutting concerns. I am ever closer to my "1 hour app", where I can just type in some code and have a fully-working production-quality app available to users. I'm not there, but I'm getting closer by the year.
(Sometimes I wonder if we were wrong to totally get rid of the "just rsync some PHP files to a server" model. There were good things and bad things going on there; we should bring the good things back.)
Thank you for open sourcing these libraries. Your mindset of an app in an hours really strikes me as ple
asant. I’ve used PHP Yii framework and everything used to work that way. From layout till auth till database modelling and generating everything based on that. Loved it! I spent most of my time working in MySQLWorkbench perfecting the database model and the rest was more or less generated.
That is useful for the case where the application you want to run supports OAuth (OIDC actually), and you want to be your own identity provider. The app has to go out of its way to support OIDC, but it's so common that it might be good enough for normal people. And you can turn Dex or another OIDC provider into an authenticating reverse proxy with: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extension...
(I started writing jsso2 before this existed, and didn't want to tie myself to Envoy necessarily... but if I were starting from 0 today, I'd probably just use Dex and that Envoy extension. Seems simple, and has a lot of corporate support behind it for maintenance / security.)
I've run into the situation at least twice where some app has bought into that mindset and made auth an external factor (don't send HTTP requests unless the user is authorized), and found that there was pretty much nothing good to provide that feature. So... I wrote my own thing both times, and am loving it. (You could use it too! But I wouldn't necessarily recommend it: https://github.com/jrockway/jsso2) I never have to think about auth again.
Having also done the infrastructure and library work to get Prometheus/Grafana/Jaeger/Loki doing what I want (https://github.com/jrockway/opinionated-server), I am almost happy with the remaining cross-cutting concerns. I am ever closer to my "1 hour app", where I can just type in some code and have a fully-working production-quality app available to users. I'm not there, but I'm getting closer by the year.
(Sometimes I wonder if we were wrong to totally get rid of the "just rsync some PHP files to a server" model. There were good things and bad things going on there; we should bring the good things back.)