If by "we" you mean Fly, can you tell me if Fly happens to be implementing OIDC (or reusing a third-party implementation) in Elixir, Ruby, or another language? I'm curious about what Fly in particular is using because I know that Fly has invested pretty substantially in Elixir and Phoenix in particular, and I've got a Phoenix app where I want to implement OIDC. We previously implemented SAML by literally using Shibboleth SP. Thanks.

There's a surprisingly long line of folks who would gladly get their face ripped off for SAML. In my experience, it's worth it.

Lol, yeah, having SAML means putting XML parsing into critical security points. No thanks.

Is it that different from parsing JSON? A honest question, what's the difference? Billion laughs attacks and similar?

It's not just XML formatting; it's bizarro stuff like XML canonicalization and comments, and it's in a signature format. It really might be the worst mainstream cryptosystem in the entire industry.

A computer scientist would say they have identical parsing complexity, so not much.

A computer programmer wouldn't even know where to begin, as the chesterton's fence had long been rejustified

But it’s not true in practice. Pure simple XML vs JSON sure. XML you deal with in SAML has tons of extra things like namespaces, canonicalization issues, etc. it is way more complex and has led to many security issues over the years.

I had originally quoted

  "in theory, it's easy in practice. in practice, its easy in theory"

But I thought scientist vs. programmer would be literally analogous and rivet more finches.

Yeah, see the other replies in here. It is just a mess of ancient cruft and unclear implementation guidelines.

Even better: XML signatures, which are very easy to get wrong in both signing and verification.

Yeah, it is a gross morass of pain and cruft and unclear implementation for devs.