That’s funny. I spotted a similar issue in their Go SDK[1] a few years back. I was pretty appalled to see such a basic mistake from a security company, but then again it is Okta.
[1]: https://github.com/okta/okta-sdk-golang/issues/306
cookiengineer 5 hours ago [-]
Kind of funny that stalebots are the new "won't fix" methodology to ignore security issues with plausible deniability.
c-hendricks 4 hours ago [-]
Yeah I got a kick out of that. "We might have fixed your issue, if we didn't, open a new one because we took so long acknowledging this one".
OptionOfT 34 minutes ago [-]
Or 3 years later: can you verify this is still needed.
Why on earth did I spend time in creating a reproducible example?
jonathaneunice 9 hours ago [-]
> I was pretty appalled to see such a basic mistake from a security company, but then again it is Okta.
Oh. Em. Gee.
Is this a common take on Okta? The article and comments suggest...maybe? That is frightening considering how many customers depend on Okta and Auth0.
parliament32 9 hours ago [-]
We evaluated them a while ago but concluded it was amateur-hour all the way down. They seem to be one of those classic tech companies where 90% of resources go to sales/marketing, and engineering remains "minimum viable" hoping they get an exit before anyone notices.
kenhwang 8 hours ago [-]
I'm convinced Okta's entire business model is undercutting everyone with a worse product with worse engineering that checks more boxes on the feature page, knowing IT procurement people aren't technical and think more checkboxes means it's better.
ecshafer 6 minutes ago [-]
"Enterprise Software" is what Tobi Lutke called that in a keynote once. A focus on hitting as many feature checkboxes as possible at the cost of quality.
Y_Y 7 hours ago [-]
Okta sucks balls. That's from my perspective as a poor sod who's responsible for some sliver of security at this S&P listed megacorp that makes its purchasing decisions based on golf partners.
SAI_Peregrinus 8 hours ago [-]
Yep. They're an Enterprise™ company. That means they prioritize features purchasing departments want, not functionality.
swiftcoder 7 hours ago [-]
Yeah, I have the misfortune of inheriting a SaaS that built on auth0, and the whole stack is rather clownish. But they tick all the regulatory boxes, so we're probably stuck with them (until they suffer a newsworthy breach, at any rate...)
inkyoto 11 minutes ago [-]
Okta and auth0 are, fundamentally, two distinct products – conceived, designed, and engineered by entirely separate entities.
auth0, as a product, distinguished itself with a modern, streamlined architecture and a commendable focus on developer experience. As an organisation, auth0 further cemented its reputation through the publication of a consistently high-calibre technical blog. Its content goes deeply into advanced subjects such as fine-grained API access control via OIDC scopes, RBAC, ABAC and LBAC models – a level of discourse rare amongst vendors in this space.
It was, therefore, something of a jolt – though in retrospect, not entirely unexpected – when Okta acquired auth0 in 2021. Whether this move was intended to subsume a superior product under the mediocrity of its own offering or to force a consolidation of the two remains speculative. As for the fate of the auth0 product itself, I must admit I am not in possession of definitive information – though history offers little comfort when innovation is placed under the heel of corporate, IPO driven strategy.
lq9AJ8yrfs 5 hours ago [-]
Among the reasons to leave my last job was a CISO and his minion who insisted spending $50k+ on Okta for their b2b customer and employee authentication was a bulletproof move.
When I brought it up, they said they didn't have anyone smart enough to host an identity solution.
They didn't have anyone smart enough to use Okta either. I had caught multiple dealbreakers-for-me such dubious / conflicting config settings resulting in exposures, actual outages caused by forced upgrades, not to mention their lackluster responses to bona fide incidents over the years.
I use Authentik for SSO in my homelab, fwiw.
ecshafer 3 minutes ago [-]
Keycloak is a great authentication suite, not that hard to configure and rock solid.
Ill never understand this thinking.
hi_hi 6 hours ago [-]
We've recently moved to Auth0. I'm no security expert. Whats the recommended alternative that provides the same features and price, but without the risks suggested here?
mooreds 4 hours ago [-]
Heya, I work for FusionAuth. We have a comparable product for many use cases.
Happy to chat (email in profile), or you can visit our comparison page[0] or detailed technical migration guide[1].
If you’re looking for b2b identity, I’m the founder of WorkOS and we power this for a bunch of apps. Feel free to email me, mg@workos.com
catlifeonmars 2 hours ago [-]
We use WorkOS to support some of our offerings but not for our own corporate identity/authentication. I’m not close to the project so I don’t have experience using WorkOS but definitely curious about replacing Okta.
Exoristos 6 hours ago [-]
It's not difficult to implement OAuth2. There are good libraries, and even the spec is not complicated. Or use AWS Cognito.
pm90 5 hours ago [-]
okta is the worst. Their support is the worst (we always got someone overseas who only seemed to understand anything, probably they were trained on some corpus) and would take forever to loop in anyone that could actually help.
filearts 8 hours ago [-]
I think it is distasteful and disrespectful to call out an employee by name in this way, regardless of the merit of the rest of the OP's post.
iloveplants 7 hours ago [-]
well, it was distasteful of to them to close op's pr and apply the same patch with improper attribution, and then use ai to respond when they were asked about it
atonse 7 hours ago [-]
I agree with the parent post that it's distasteful.
There's no value in naming the employee. Whatever that employee did, if the company needed to figure out who it was, they can from the commit hashes, etc. But there's no value in the public knowing the employee's name.
Remember that if someone Googles this person for a newer job, it might show up. This is the sort of stuff that can disproportionately harm that person's ability to get a job in the future, even if they made a small mistake (they even apologized for it and was open about what caused it).
So no, it's completely unnecessary and irrelevant to the post.
Freak_NL 6 hours ago [-]
> Remember that if someone Googles this person for a newer job, it might show up.
Not to sound too harsh, but this is a person who rudely let AI perform a task badly which should have been handled by just… merging/rebasing the PR after confirming it does what it should do, then couldn't be bothered to reply and instead let the robot handle it, and then refused to fix the mess they made (making the apology void).
That's three strikes.
abraae 6 hours ago [-]
What if it's some junior given a job beyond their abilities, and struggling manfully using whatever tools they have to hand. Is it worth publicly trashing their name? What does their name really add to this article?
jabwd 45 minutes ago [-]
A good lesson. If you as an employer look at this history, and handle it in the interview appropriately (what did you learn / do better now for example) you can figure out if they did.
I'm sure lots won't, but if that is you as an employer you're worth nothing.
5 hours ago [-]
technion 6 hours ago [-]
I agree what occurred is quite egregious. But "use ai to talk to customers" and "play games with signed commits" sound much more like corporate policy than one employees mistake.
mmsc 2 hours ago [-]
Why would the company need to figure it out from commit hashes? It's all public, in public GitHub repositories, with the person's personal GitHub account: https://github.com/auth0/nextjs-auth0/pull/2381
Exoristos 6 hours ago [-]
> This is the sort of stuff that can disproportionately harm that person's ability to get a job in the future.
Isn't that beneficial in this case?
parliament32 6 hours ago [-]
> Remember that if someone Googles this person for a newer job, it might show up.
That's the whole point; I sincerely hope it does. Why would anyone want to hire someone that delegates their core job to a slop generator?
7 hours ago [-]
mmsc 2 hours ago [-]
(op here)
On the one hand, you're right, it is distasteful, I completely agree. On the other hand, GitHub and Google and the public domain internet isn't everybody's CV that they can pick and choose which of their actions are publicised, tailored towards only their successes.
merrvk 6 hours ago [-]
They maintain a public repo.
nstart 3 hours ago [-]
Yea. I can see what the parent is getting at. However the linked PR's contain the employee name. Their username is the same name mentioned in the article. So it would have been the same even if the author had just mentioned the username instead (which would be completely acceptable in all cases). I think junior employee or not, it's clear that they have the autonomy to check a PR for errors and fix it. So it's very much on them.
DrammBA 6 hours ago [-]
I don't think it is distasteful or disrespectful, he's just explaining what happened and why, and he's obviously unhappy with the whole ordeal.
Yasuraka 9 hours ago [-]
Okta is, if you may excuse my French, straight garbage.
altairprime 8 hours ago [-]
And too bad for everyone who was using their former competitor Auth0.
torton 25 minutes ago [-]
I had a fairly fun time using Auth0 a few years back. The ability to run arbitrary code hooks at various points allowed us to do pretty interesting stuff in a managed way without resorting to writing or self-hosting something that was entirely flexible.
sbmthakur 8 hours ago [-]
Why if I may ask?
Hnrobert42 3 hours ago [-]
It's a fair question. I found them way better to implement SSO in my small startup than OneLogin.
Using Auth0 in apps, I find their documentation bafflingly difficult to read. It's not like being thrown in the deep end unexpected to swim. It's like being injected at the bottom of the deep end.God help the poor non-native English speakers on my team who have to slog through it.
hypeatei 9 hours ago [-]
I think GitHub should allow disabling PRs. I don't believe most big corporations are interested in dealing with fly-by contributions because it might make them look bad or be riddled with quality issues.
Also some projects like the Linux kernel are just mirrors and would be better off with that functionality disabled.
jchw 9 hours ago [-]
While that is true, I feel like it is irrelevant here since it seems like Okta definitely wants (and perhaps needs) the fixes. God only knows why GitHub still forces it on though. Early on it might've been some mechanism to encourage people to accept contributions to push the social coding aspect, but at this point I have no idea who this benefits, it mostly confuses people when a project doesn't accept PRs.
hypeatei 9 hours ago [-]
> Okta definitely wants (and perhaps needs) the fixes
They definitely don't want them if their process requires signed commits and their solution is 1) open another PR with the authors info then sign it for them, and 2) add AI into the mix because git is too hard I guess?
No matter how you slice it, it doesn't seem like there are Okta employees who want to be taking changes from third parties.
jchw 3 hours ago [-]
I think that they absolutely still want the free labor. All of those signals just suggest that they're not willing to reciprocate any effort that you put in when you contribute.
petre 9 hours ago [-]
Social on today's Internet = bots and occasionally trolls
mananaysiempre 9 hours ago [-]
GitHub actually can natively mark a repo as a mirror (or could? I can’t find an example now, but they have always been rare). The book-with-bookmark icon before “user / repo” in the page header is replaced by a mirror-and-reflection-ish–looking thing, and the badge after it changes from “Public” to “Public mirror”. Unfortunately, forcing you into “social coding” (wait, is that no longer on the homepage?) takes priority, so that mark can only be given out by GitHub staff through manual intervention, and it doesn’t often happen.
terminalbraid 6 hours ago [-]
Maybe the community should use less of github if github doesn't provide features the community finds useful.
9 hours ago [-]
theoldgreybeard 8 hours ago [-]
You couldn't pay me a billion dollars to use Okta.
pphysch 8 hours ago [-]
Sadly many people will spend a million dollars to use Okta for their 10,000 logins/day (read: <1 tps) instead of running their own Keycloak or Authentik or whatever.
OIDC is not scary, and advanced central authorization features (beyond group memberships) are a big ole YAGNI / complexity trap.
p_ing 7 hours ago [-]
Running your own local AuthN/AuthZ is more than just 'install it on a box in the closet'. I don't blame anyone for letting one of the giants do this on their behalf -- they have the expertise, though I agree I wouldn't touch Okta.
kondro 3 hours ago [-]
Running your own AuthN/AuthZ with an off-the-shelf OSS is very straight-forward (as a SaaS product at least) and isn't any more burdensome from a security perspective than what you're already doing for your core service.
This isn't email.
p_ing 3 hours ago [-]
Running Active Directory is as easy as it gets. Protecting the Golden Ticket is not.
pphysch 7 hours ago [-]
For your average enterprise it really is that simple. Register some IDPs. Connect a backend. Add some clients over time.
Yes, you need someone to wear the IAM admin hat. But once you get it configured and running it requires 0.1 FTE or less (likely identical to whatever your Okta admin would be). Not worth 6+ figures a year and exposure to Okta breach risk.
p_ing 4 hours ago [-]
No, it isn't "simple". Protecting your IdP is critical and not easy.
Yes, creating a SAML integration is easy, but that's only one piece of the puzzle.
pphysch 3 hours ago [-]
Paying Azure a little bit to run an AD instance for you, IF you need to run your own IDP (a big if), is not a bad play and does not prevent you from saving lots of money by not using a dubious product like Okta.
3 hours ago [-]
trollbridge 8 hours ago [-]
The workload to run Authentik locally is about identical to the workload to set up and configure Okta. (Or you could just fine someone who will host Authentik for you, if deploying a container is too hard for you.)
mrcwinn 8 hours ago [-]
You just literally saved me one billion dollars. The offer was incoming!
DrammBA 6 hours ago [-]
I find it funny that this seemingly fictitious person Simen A. W. Olsen my@simen.io will forever be engraved as a co-author of a one-line change in the nextjs-auth0 repo.
Simen Olsen is not fictitious, but the "my@" email/username seems to be. Zero hits on DDG, and only this article comes up in Google Search.
4 hours ago [-]
rcleveng 9 hours ago [-]
Honestly when I saw Okta in the headline, I had assumed the article was going to say they were breached again.
This one is amusing, and as another comment mentioned below, large companies are awful at accepting patches on github. Most use one-way sync tools to push from their internal repositories to github.
deepsun 4 hours ago [-]
Okta requiring to create a video for a pretty obvious vulnerability shows that Okta does not take security seriously, contrary to what they say at their earnings calls. Sounds like deceiving their investors.
fudged71 5 hours ago [-]
I'm currently building on the Auth0 SaaStarter because it seemed to be the only option in the market for something with all the core features enterprises are looking for. Is there an alternative that doesn't require building from scratch?
2 hours ago [-]
RagnarD 8 hours ago [-]
I've been quite happy with FusionAuth so far. Free to run on your own server, easy to understand and set up, easy to program against, reliable.
wingmanjd 7 hours ago [-]
We're another happy FusionAuth customer. We started with self-hosted but just moved to their hosted option this year.
burnt-resistor 44 minutes ago [-]
Don't outsource SSO to any IdMaaS. It's too critical. And especially not to Okta.
jchw 9 hours ago [-]
IANAL but unfortunately, I think the fix itself shown here might be too simple to actually clear the bar for copyright eligibility. (And in fairness to copyright law, it is basically the only sane way to fix this.) That means that there's probably not much you can really do, but I will say this looks fucking pathetic, Okta.
rikafurude21 8 hours ago [-]
I'm more confused by the fact that the OP freely submits a PR into an open source repo but then wants to use "copyright" because the code he submitted ended up being used under the wrong name, which was then corrected.
jchw 3 hours ago [-]
Licensing your code under open source licenses does not nullify your rights under copyright law, and the license in this case does not waive any rights to attribution.
It would indeed be copyright violation to improperly attribute code changes. In this case I would absolutely say a force push is warranted, especially since most projects are leaning (potentially improperly) on Git metadata in order to fulfill legal obligations. (This project is MIT-licensed, but this is particularly true of Apache-licensed projects, which have some obligations that are surprising to people today.) A force push is not the end of the world. You can still generally disallow it, but an egregious copyright mistake in recent history is a pretty good justification. That or, literally, revert and re-add the commit with correct attribution. If you really feel this is asking too much, can you please explain why you think it's such a big problem? If it's such a pain, a good rule of thumb would be to not fuck this up regularly enough that it is a major concern when you have to break the glass.
detaro 8 hours ago [-]
Why is it confusing to you to expect attribution?
rikafurude21 8 hours ago [-]
thats not the confusing part, its rather confusing to threaten to sue for copyright because of mistaken attirbution
cyberpunk 6 hours ago [-]
He even asked them to force-push a new history because they got the name wrong!
Mistakes happen, I guess this hurts his 'commits in a public repo' cv score.
avree 7 hours ago [-]
FWIW, the employee reply (who the author is putting on blast) seems like it was written by a human, not an AI.
"You're absolutely right!" is the Claude cliche (not a ChatGPT one) - "You are absolutely correct." is not that.
DrammBA 6 hours ago [-]
Directly from the employee (tusharpandey13) in the github PR:
> Yeah, i had to manually stop it and delete the ai-generated comment.
dovys 3 days ago [-]
You're either free OSS that gets flooded with AI slop PRs to overwhelm maintainers or you're a corporate OSS that uses AI slop to frustrate contributors. Are there any positive stories I've not seen?
I LOVE LLMs as a learning tool. I HATE LLMs as a communication tool. I know, there are people with serious handicaps who benefit from LLMs in this area. If only I could talk to those people and not wade through all this other garbage.
Especially when the AI is being represented as a person, this to me is dishonest. Not to mention annoying, almost more-so than the number of different apps that think they are important enough to send me push notifications to fill out a survey (don’t even get me started).
whichquestion 8 hours ago [-]
LLMs have definitely helped me reduce my social anxiety when writing, especially in a technical work setting. I don’t use it like the respondent in the article though, I would feel really embarassed to not edit an llm’s output to be in my own voice. But I feel it helps provide me with some structure in whatever I’m trying to write when I don’t have the mental energy or wherewithal to provide it myself.
Traubenfuchs 8 hours ago [-]
Is there any non shite managed oAuth solution with a free tier available?
Auth0 really is super easy and comfortable to integrate and I don‘t want to run my own keycloak or whatever.
trollbridge 8 hours ago [-]
Authentik?
Traubenfuchs 7 hours ago [-]
> Replace Okta
Aren't they cheeky!
Thanks, I will try.
DetroitThrow 9 hours ago [-]
Security companies that prioritize bugs being sold rather than be reported will eventually blow up. Good luck Okta shareholders.
yahoozoo 5 hours ago [-]
[dead]
Brian-Watkins 7 hours ago [-]
[flagged]
Will-Reppeto 9 hours ago [-]
[flagged]
roze_sha 9 hours ago [-]
Is this ai generated
transcriptase 9 hours ago [-]
More than likely. Look at the users most recent comment with the random “ at the end too.
Aldipower 9 hours ago [-]
WTF is Okta?
mrweasel 7 hours ago [-]
Basically an enterprise single sign on solution. We use it to allow staff to sign into pretty much any external service using Gsuite credentials.
mananaysiempre 8 hours ago [-]
An auth integrator, a pretty notable one, mostly (originally?) OAuth I think. Multiple people calling it a trash fire here came as a surprise to me, but I defer to their experience.
trollbridge 8 hours ago [-]
Okta was state of the art a decade ago.
Rendered at 03:43:59 GMT+0000 (UTC) with Wasmer Edge.
Why on earth did I spend time in creating a reproducible example?
Oh. Em. Gee.
Is this a common take on Okta? The article and comments suggest...maybe? That is frightening considering how many customers depend on Okta and Auth0.
auth0, as a product, distinguished itself with a modern, streamlined architecture and a commendable focus on developer experience. As an organisation, auth0 further cemented its reputation through the publication of a consistently high-calibre technical blog. Its content goes deeply into advanced subjects such as fine-grained API access control via OIDC scopes, RBAC, ABAC and LBAC models – a level of discourse rare amongst vendors in this space.
It was, therefore, something of a jolt – though in retrospect, not entirely unexpected – when Okta acquired auth0 in 2021. Whether this move was intended to subsume a superior product under the mediocrity of its own offering or to force a consolidation of the two remains speculative. As for the fate of the auth0 product itself, I must admit I am not in possession of definitive information – though history offers little comfort when innovation is placed under the heel of corporate, IPO driven strategy.
When I brought it up, they said they didn't have anyone smart enough to host an identity solution.
They didn't have anyone smart enough to use Okta either. I had caught multiple dealbreakers-for-me such dubious / conflicting config settings resulting in exposures, actual outages caused by forced upgrades, not to mention their lackluster responses to bona fide incidents over the years.
I use Authentik for SSO in my homelab, fwiw.
Ill never understand this thinking.
Happy to chat (email in profile), or you can visit our comparison page[0] or detailed technical migration guide[1].
0: https://fusionauth.io/compare/fusionauth-vs-auth0
1: https://fusionauth.io/docs/lifecycle/migrate-users/provider-...
There's no value in naming the employee. Whatever that employee did, if the company needed to figure out who it was, they can from the commit hashes, etc. But there's no value in the public knowing the employee's name.
Remember that if someone Googles this person for a newer job, it might show up. This is the sort of stuff that can disproportionately harm that person's ability to get a job in the future, even if they made a small mistake (they even apologized for it and was open about what caused it).
So no, it's completely unnecessary and irrelevant to the post.
Not to sound too harsh, but this is a person who rudely let AI perform a task badly which should have been handled by just… merging/rebasing the PR after confirming it does what it should do, then couldn't be bothered to reply and instead let the robot handle it, and then refused to fix the mess they made (making the apology void).
That's three strikes.
I'm sure lots won't, but if that is you as an employer you're worth nothing.
Isn't that beneficial in this case?
That's the whole point; I sincerely hope it does. Why would anyone want to hire someone that delegates their core job to a slop generator?
On the one hand, you're right, it is distasteful, I completely agree. On the other hand, GitHub and Google and the public domain internet isn't everybody's CV that they can pick and choose which of their actions are publicised, tailored towards only their successes.
Using Auth0 in apps, I find their documentation bafflingly difficult to read. It's not like being thrown in the deep end unexpected to swim. It's like being injected at the bottom of the deep end.God help the poor non-native English speakers on my team who have to slog through it.
Also some projects like the Linux kernel are just mirrors and would be better off with that functionality disabled.
They definitely don't want them if their process requires signed commits and their solution is 1) open another PR with the authors info then sign it for them, and 2) add AI into the mix because git is too hard I guess?
No matter how you slice it, it doesn't seem like there are Okta employees who want to be taking changes from third parties.
OIDC is not scary, and advanced central authorization features (beyond group memberships) are a big ole YAGNI / complexity trap.
This isn't email.
Yes, you need someone to wear the IAM admin hat. But once you get it configured and running it requires 0.1 FTE or less (likely identical to whatever your Okta admin would be). Not worth 6+ figures a year and exposure to Okta breach risk.
Yes, creating a SAML integration is easy, but that's only one piece of the puzzle.
He's not fictitious I think.
This one is amusing, and as another comment mentioned below, large companies are awful at accepting patches on github. Most use one-way sync tools to push from their internal repositories to github.
It would indeed be copyright violation to improperly attribute code changes. In this case I would absolutely say a force push is warranted, especially since most projects are leaning (potentially improperly) on Git metadata in order to fulfill legal obligations. (This project is MIT-licensed, but this is particularly true of Apache-licensed projects, which have some obligations that are surprising to people today.) A force push is not the end of the world. You can still generally disallow it, but an egregious copyright mistake in recent history is a pretty good justification. That or, literally, revert and re-add the commit with correct attribution. If you really feel this is asking too much, can you please explain why you think it's such a big problem? If it's such a pain, a good rule of thumb would be to not fuck this up regularly enough that it is a major concern when you have to break the glass.
Mistakes happen, I guess this hurts his 'commits in a public repo' cv score.
"You're absolutely right!" is the Claude cliche (not a ChatGPT one) - "You are absolutely correct." is not that.
> Yeah, i had to manually stop it and delete the ai-generated comment.
Especially when the AI is being represented as a person, this to me is dishonest. Not to mention annoying, almost more-so than the number of different apps that think they are important enough to send me push notifications to fill out a survey (don’t even get me started).
Auth0 really is super easy and comfortable to integrate and I don‘t want to run my own keycloak or whatever.
Aren't they cheeky!
Thanks, I will try.