OIDC is the only way to get proper 2FA into all services without adding tons of friction. Friction reduces acceptance and usage of 2FA.
Every service that puts SSO in an enterprise tier is a security risk and shouldn't be touched with a 10 foot pole.
Go ahead and put Kerberos and SAML and maybe even LDAP SSO in Enterprise tier, but if you put OIDC in enterprise tier, you're responsible when your customers will get inevitably hacked.
If an organization made a deliberate choice of not paying 5000 USD/mo for extra security, then security is less important for them than this amount of money — so they get what they pay for, and it’s their responsibility.
By that same argument, you could also make security patches exclusive to the enterprise version for a certain amount of time after they've been released.
Only big corporations need security, after all, if a small company gets hacked, well, they should've paid more?
What kind of late-stage capitalism is that? You're knowingly selling an insecure version and somehow it's the customer's fault they didn't buy the "actual security" addon?
I am ready to agree with you if you’re not being hypocritical here. Surely you’re doing only the best work for your employer, and spending your own unpaid leisure and sleep time on honing your non-marketable but company-demanded skills, undergoing psychotherapy to get along better with your manager, and thinking of all the opportunities to save your employer more money.
It would be a shame though if you demanded unpaid work from others, but didn’t live by the same rule yourself.
I've forked quite a lot of open core projects to add enterprise tier SSO support to the open version, with my forks published under AGPLv3. I'm true to my word.
Every service that puts SSO in an enterprise tier is a security risk and shouldn't be touched with a 10 foot pole.
Go ahead and put Kerberos and SAML and maybe even LDAP SSO in Enterprise tier, but if you put OIDC in enterprise tier, you're responsible when your customers will get inevitably hacked.