Okta's NextJS-0auth troubles

Original Article ↗ Hacker News Discussion ↗

Perception of Okta/Auth0 and Security Posture

  • Multiple commenters describe Okta (and increasingly Auth0 post‑acquisition) as “enterprise checklistware”: heavy on features and sales, weak on engineering quality, UX, and incident response.
  • Several recount past vulnerabilities or breaches and see a pattern of “at least one major breach a year.” Others note Auth0 was also hacked before acquisition, so the situation is not new.
  • Some found Okta/Auth0 integration painful (weird LDAP endpoints, brittle SDKs, confusing docs, broken “stay signed in”) and say they’d avoid the products entirely for new work.

Build vs Buy: Outsourcing Identity

  • One camp argues OAuth2/OIDC and SSO are tractable problems; for many use cases, rolling your own or using self‑hosted OSS (Keycloak, Authentik, etc.) is manageable and avoids vendor risk and cost.
  • Another camp stresses that auth providers are hard to operate securely at scale (internet‑facing, high‑load, high‑impact on downtime), which motivates offloading to specialist vendors despite their flaws.
  • Several point out that executives often buy “nobody got fired for buying IBM”–style solutions (Okta, Microsoft Entra) for perceived safety, compliance checkboxes, and career risk management, not actual security quality.

OAuth2/OIDC Complexity and Interop

  • One detailed thread argues OAuth2/OIDC are inherently complex and ambiguous, causing divergent vendor behavior around claims (e.g., groups), token formats, and federation, making robust interop painful.
  • Others push back, saying the specs are straightforward in practice and that many problems stem from sloppy implementations rather than protocol design.

Alternatives and Tradeoffs

  • Commenters recommend FusionAuth, Authentik, Zitadel, WorkOS, Keycloak, or even AWS Cognito, with mixed opinions on each.
  • Some praise Auth0’s “actions” and hook system as uniquely powerful, lamenting that few competitors match its extensibility.

AI Use in Code and Communication

  • The thread is heavily critical of “AI slop”: auto‑generated PRs and AI‑written maintainer replies, especially for security‑sensitive code.
  • Some do note LLMs can help with writing and reducing social anxiety when used as drafting tools, but there is strong aversion to using them to replace human review or interaction.

GitHub Workflow, Stalebots, and Attribution

  • Stalebots are criticized as a way to silently discard real issues and security reports under the guise of “inactivity.”
  • People debate GitHub’s lack of a “disable PRs” option, especially for corporate mirrors.
  • The specific incident raises anger about mis‑attributed patches and AI‑mediated responses; several insist that proper copyright and attribution still matter even for tiny fixes and MIT‑licensed code.

Naming the Employee

  • There’s a split on whether calling out the individual maintainer by name is fair.
  • One side sees it as legitimate accountability for public actions in a public repo; the other views it as disproportionate harm to a possibly junior employee following bad corporate policies.