Thank you for not having just dumped it like that, but adding quick-start guides, examples and even did some additionnal security checks, it's just awesome for little organizations <3
thank you - We know from our own experience using other open source projects that having documentation, and guides to get started really helps.
We know there is more to do there too (some of the feedback in this HN post has helped highlight areas we need to improve the docs) and we will be adding to the docs so over the next while.
- ease of migration was a big one, we had 100+ instances of bitly's oauth2_proxy, and were able to seamlessly migrate them to this, without any changes to the services being protected.
- when we built this, there were far fewer solutions than there are today. For example, Ory's Oathkeeper ( https://github.com/ory/oathkeeper) was released after we were already using sso internally at BuzzFeed.
Yes, as mentioned in the blog post, we worked with Security Innovation to do a week long security assessment with full access to source code, design documents and endpoints.
We also have a long term consulting arrangement with a widely respected security architect, and they helped review our design and implementation.
Additionally, BuzzFeed has a bug bounty program on hackerone (https://hackerone.com/buzzfeed), and have invited partipating researchers to report on any issues found. We’ve paid out bounties for a number of minor issues, which were addressed prior to open-sourcing.
> In preparation for open sourcing we also engaged with Security Innovation, a widely respected agency who count Microsoft, Symantec, and Amazon as clients, to do a more in-depth, week long assessment, with full access to source code and design documents. This found no major issues, which gives us the confidence to open source sso today.
That is understood, and is always why we engaged with some of the top researchers who contribute to our bug bounty program, from the start with this project.
For example offering increased bounties during certain windows, or providing early access to the source code.
We highly value our bug bounty program, and find it to be a very effective mechanism for continuous security validation.
I'll write a tech blog post in the near future about how we facilitate our program.
> we have made sso a priority target for penetration testing by researchers on our bug bounty program — we’ve paid bounties for a number of reported issues!
While that makes it clear that they cared about penetration testing, it isn't what the person was asking to that you replied to -- they asked if they had contracted with an independent company to do testing. This did not seem to be answered by the article, and seems like a reasonable question to ask.
It’s one of our two standard languages - the other being Python - and whilst the vast majority of our services are Python, Golang is being used for growing and significant number too.
Touching on my first point, we have observed people enjoy writing Go apps, and it is a great fit particularly where performance and scalability are needed.
Therefore when engineers have moved to another team internally, they often will evangelize Golang to their new team members.
So we expect it to continue to grow and thrive here!
We were already using traefik as a proxy for our docker/swarm clusters and this is a single container drop in to add authentication to every traefik request.
It's still missing a few key features but it can get you started, we're testing the use of a single auth domain (so you don't have to add every internal service domain as a refirect_uri in Google - looks similar to how sso works) internally and we expect to release this shortly once finished.
Additionally, if you want an even lighter weight option, we also use, with great success, cloudflare's lua script on a few services we don't run with docker/traefik: https://github.com/cloudflare/nginx-google-oauth
Great question.
We found that SAML doesn’t typically have great support on mobile devices [edit: had originally written browser here, hence the comments below], and since BuzzFeed has many remote employees around the world, we needed to support those workflows, so OAuth2 made more sense.
That doesn't make sense. SAML is only a bunch of POST and redirections as far as the browser is concerned. There is no specific support required from the browser.
I’ll correct my post above. I meant to say `mobile devices`, not `mobile browsers` . My bad.
The other reason, which I didn’t mention above, but is talked about in the blog post, is we decided to use bitly’s oauth2_proxy as a basis for our solution.
This had been widely used in BuzzFeed (we had over 100 auth proxies in place prior to rolling out sso), and so the OAuth flow was something everyone was familiar with.
Looks super interesting. I'm looking to do something like this for my personal stuff, but I'd rather avoid the dependency on Google. Does anyone have suggestions for how to set something like that?
Right now we have a dependency on Google as an OAuth2 provider, as that's what we use internally at BuzzFeed. However we've designed sso to allow us to easily add other providers.
It might not be necessary, because there are already a few good identity providers around, but isn't it always good when companies release quality open source software?
This is our identity aware proxy, which we've been using internally for a year.
The blog post explains our motivations behind creating it, and open-sourcing it. It's available today, under MIT license.
We'll be keeping an eye on the thread, and happy to follow up to any questions!