Post AdWPLvCAf1hVfexjAO by joncruz@mstdn.social
(DIR) More posts by joncruz@mstdn.social
(DIR) Post #AdVpIQslJKTsRDvAPY by simon@fedi.simonwillison.net
2024-01-04T19:43:23Z
0 likes, 0 repeats
Glad to see I'm not the only person howling with despair at how difficult it is to build anything that involves OpenID Connect in the comments on this Hacker News thread https://news.ycombinator.com/item?id=38868610
(DIR) Post #AdVpTVrR8mcl43aJE0 by simon@fedi.simonwillison.net
2024-01-04T19:45:15Z
0 likes, 0 repeats
Some day I really do intend to make my way through https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform - but every time I look at that page my willpower disintegrates within seconds
(DIR) Post #AdVpfn3T2VQ7rk4A88 by andypiper@macaw.social
2024-01-04T19:47:37Z
0 likes, 0 repeats
@simon ... I suppose that's a bullet dodged in my case then, that was on the agenda for Twitter API v2 once upon a time, and I would have strongly disliked having to be the support person... 😬
(DIR) Post #AdVq4aR168W3xruAj2 by ocramz@sigmoid.social
2024-01-04T19:50:39Z
0 likes, 0 repeats
@simon same, I guess it's because "federated identity" further erodes developer agency (in addition to having documentation from h+ll)
(DIR) Post #AdVqHFEPF7rVy52gYS by brar@floss.social
2024-01-04T19:53:44Z
0 likes, 0 repeats
@simon 💯The web is is full of "look how simple it is to build a web API with our framework" examples that somehow seem to forget that almost no real world API works without authentication/authorization these days.Once you add this tiny detail, nothing is simple or beautiful any more.
(DIR) Post #AdVqZMCS4aZ8nDlTv6 by evan@cosocial.ca
2024-01-04T19:57:46Z
0 likes, 0 repeats
@simon The old ways are the best wayshttps://www.youtube.com/watch?v=mRXH7hUbqbY
(DIR) Post #AdVrOh0STTFs5ldLdY by simon@fedi.simonwillison.net
2024-01-04T20:06:39Z
0 likes, 0 repeats
@evan Wow, recorded 17 years ago! https://simonwillison.net/2006/Dec/22/screencast/
(DIR) Post #AdVvfP9oUQSfTQEYm8 by ajs@toot.community
2024-01-04T20:54:56Z
0 likes, 0 repeats
@simon I’ve set OIDC up with AWS and GCP and it’s intimidating at first sight. But also totally worth it when you realise you don’t need to manage and worry about the tokens/secrets any more. The actions just implicitly run as the service account, just as if you’re using workload identity in a VM or CloudRun action or whatever. Totally worth it.
(DIR) Post #AdVw5m2a25ADySQMzo by simon@fedi.simonwillison.net
2024-01-04T20:57:03Z
0 likes, 0 repeats
@ajs I'm sure it's worth it, but I still can't quite force myself to wade through the expected pile of frustration to get from here to there!
(DIR) Post #AdWJe9iinQwICtV0hU by evan@cosocial.ca
2024-01-05T01:23:57Z
0 likes, 0 repeats
@simon an oldie but a goodie. I didn't know you then, but it made my day when you used Wikitravel as the example site.
(DIR) Post #AdWKdpcZcmAvpC261Q by timbray@cosocial.ca
2024-01-05T01:35:06Z
0 likes, 0 repeats
@simon There were two years of my life when I was DevRel in the Google Identity Group and my whole life was explaining OIDC and writing sample apps. The spec has bugs - it allows dumb security holes - but everyone has learned to avoid them. From the coding point of view I found it pretty straightforward and logical. Some library implementations try to hide the underlying message formats and end up making it harder to understand.
(DIR) Post #AdWMuI0m2NfsPwKNiS by simon@fedi.simonwillison.net
2024-01-05T02:00:24Z
0 likes, 0 repeats
@timbray my problem isn't so much with OIDC as it is with the UI and documentation you have to follow as an engineer to set it up - all I want to do is run a GitHub Action that deploys a website to Google Cloud, but figuring out how to set that up is way, way harder than it should be
(DIR) Post #AdWN7NkC2Et5xeobbc by simon@fedi.simonwillison.net
2024-01-05T02:02:34Z
0 likes, 0 repeats
@timbray I get to step 1, "Create a new identity pool" in https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform and my eyes glaze over!
(DIR) Post #AdWNahFuZQtAsCd5o8 by timbray@cosocial.ca
2024-01-05T02:08:08Z
0 likes, 0 repeats
@simon Kind of sad, because the underlying flows and token formats and so on are straightforward and pleasingly free of abstractions. There's an analogy with things like various programming languages providing horrid abstracted/complexified APIs to simple concrete things like HTTP GET/POST.
(DIR) Post #AdWNqw4NGD0BS1yb8C by simon@fedi.simonwillison.net
2024-01-05T02:10:59Z
0 likes, 0 repeats
... I think I just found the missing information! It turns out the crucial gcloud commands I needed to run were hidden away in a details/summary element in a READMESubmitted a PR suggesting they make that information more directly visible https://github.com/google-github-actions/auth/pull/377
(DIR) Post #AdWPLvCAf1hVfexjAO by joncruz@mstdn.social
2024-01-05T02:27:21Z
0 likes, 0 repeats
@simon with a sign on the door saying 'Beware of the Leopard' ?
(DIR) Post #AdWR7pZ8zgpw487Hzk by smore@mstdn.social
2024-01-05T02:47:35Z
0 likes, 0 repeats
@simon A definite hazard of using collapse/expand mechanisms to "clean up" a documentation page is that it reduces the skimmability of content in some cases, or makes it hard to discover with ctrl+f on page search patterns!
(DIR) Post #AdWYy4jSYAuLqBni1g by virtuous_sloth@cosocial.ca
2024-01-05T04:15:11Z
0 likes, 0 repeats
@simon @timbrayIt's a pool!Of identities!