Glad to see I'm not the only person howling with despair at how difficult it is to build anything that involves OpenID Connect in the comments on this Hacker News thread https://news.ycombinator.com/item?id=38868610
@simon There were two years of my life when I was DevRel in the Google Identity Group and my whole life was explaining OIDC and writing sample apps. The spec has bugs - it allows dumb security holes - but everyone has learned to avoid them. From the coding point of view I found it pretty straightforward and logical. Some library implementations try to hide the underlying message formats and end up making it harder to understand.
@timbray my problem isn't so much with OIDC as it is with the UI and documentation you have to follow as an engineer to set it up - all I want to do is run a GitHub Action that deploys a website to Google Cloud, but figuring out how to set that up is way, way harder than it should be
@simon Kind of sad, because the underlying flows and token formats and so on are straightforward and pleasingly free of abstractions. There's an analogy with things like various programming languages providing horrid abstracted/complexified APIs to simple concrete things like HTTP GET/POST.
@simon ... I suppose that's a bullet dodged in my case then, that was on the agenda for Twitter API v2 once upon a time, and I would have strongly disliked having to be the support person... 😬
... I think I just found the missing information! It turns out the crucial gcloud commands I needed to run were hidden away behind a collapsed details/summary element in a README
@simon I’ve set OIDC up with AWS and GCP and it’s intimidating at first sight. But also totally worth it when you realise you don’t need to manage and worry about the tokens/secrets any more. The actions just implicitly run as the service account, just as if you’re using workload identity in a VM or CloudRun action or whatever. Totally worth it.
Add comment