- That’s funny. I spotted a similar issue in their Go SDK[1] a few years back. I was pretty appalled to see such a basic mistake from a security company, but then again it is Okta.
[1]: https://github.com/okta/okta-sdk-golang/issues/306
- Okta is, if you may excuse my French, straight garbage.
by glemmaPaul
0 subcomment
- Anyone that uses Okta should be accepting the fact that they have outsourced a huge chunk of responsibility of their job onto an enterprise company.
These github links are not open source projects, these are public readable software projects. You do not control any of it, you have to deal with internal company politics like "# PRs opened", "# Bugs solved" for the developers' next performance review.
- I think GitHub should allow disabling PRs. I don't believe most big corporations are interested in dealing with fly-by contributions because it might make them look bad or be riddled with quality issues.
Also some projects like the Linux kernel are just mirrors and would be better off with that functionality disabled.
- What do you expect? This is the same company suggesting people to turn off DNS Rebind protection to work around their incompetence (https://support.okta.com/help/s/article/dns-rebind-protectio...)
- Okta requiring to create a video for a pretty obvious vulnerability shows that Okta does not take security seriously, contrary to what they say at their earnings calls. Sounds like deceiving their investors.
by theoldgreybeard
2 subcomments
- You couldn't pay me a billion dollars to use Okta.
- I find it funny that this seemingly fictitious person Simen A. W. Olsen my@simen.io will forever be engraved as a co-author of a one-line change in the nextjs-auth0 repo.
- I've been quite happy with FusionAuth so far. Free to run on your own server, easy to understand and set up, easy to program against, reliable.
- Honestly when I saw Okta in the headline, I had assumed the article was going to say they were breached again.
This one is amusing, and as another comment mentioned below, large companies are awful at accepting patches on github. Most use one-way sync tools to push from their internal repositories to github.
- I think it is distasteful and disrespectful to call out an employee by name in this way, regardless of the merit of the rest of the OP's post.
- AI enabled engineers.
Dammit, things like this trigger a very strong rejection of actively adopting AI into my workflows. Not the AI tooling itself, but the absolutely irresponsible ways of using it. This is insane.
by burnt-resistor
0 subcomment
- Don't outsource SSO to any IdMaaS. It's too critical. And especially not to Okta.
- I'm currently building on the Auth0 SaaStarter because it seemed to be the only option in the market for something with all the core features enterprises are looking for. Is there an alternative that doesn't require building from scratch?
by phendrenad2
1 subcomments
- I'm shocked. Where are all the "SSO companies handle edge cases you can't even imagine" people? It's been 24 hours.
- You're either free OSS that gets flooded with AI slop PRs to overwhelm maintainers or you're a corporate OSS that uses AI slop to frustrate contributors. Are there any positive stories I've not seen?
by Traubenfuchs
1 subcomments
- Is there any non shite managed oAuth solution with a free tier available?
Auth0 really is super easy and comfortable to integrate and I don‘t want to run my own keycloak or whatever.
by roncesvalles
0 subcomment
- I've been (trying) to use Auth0 over the last few weeks, just as a PoC / "base" app scaffold.
My conclusion has been: for social and email login, you don't need things like Auth0. Just write it yourself.
You need: session management, account management (you'd already have this), and some simple social login pathways (PKCE etc). If you're an experienced engineer and take the time to do it properly, it's totally fine to "roll your own auth". Things like Auth0 and Firebase Auth are built for nobody and make life more difficult.
Any SaaS service that saves you like <40 hours of implementation work is not worth buying into. Just put in the hours and you're set for life. It'll probably take you that many hours to wrangle with integrating it anyway (and when things get serious, you'll need to figure it out down to the bone anyway; auth is not something you can just plop in like a blackbox and forget about it). And if in the process of rolling it yourself you realize "oh shit the service is actually lifting a lot for me", then the time you spent on learning that lesson was also worth it and made you a better engineer.
Basically, don't cargo-cult things just because everyone says you should. You should feel the "aha" for why you need to introduce a 3rd party thing.
- IANAL but unfortunately, I think the fix itself shown here might be too simple to actually clear the bar for copyright eligibility. (And in fairness to copyright law, it is basically the only sane way to fix this.) That means that there's probably not much you can really do, but I will say this looks fucking pathetic, Okta.
- That maintainer seems clueless
- What’s frustrating here is how predictable these issues are. Next.js isn’t some niche framework, yet Okta’s SDK still struggles with basic OAuth flows like redirect handling, cookie persistence, and SSR quirks. That’s not just a bug — it’s a sign of weak integration testing.
The bigger problem is trust. If an identity provider can’t reliably support mainstream frameworks, it undermines confidence in their entire platform. Developers end up spending more time debugging the SDK than building features.
This is why many of us lean toward smaller, well‑maintained libraries (Auth.js, Supabase Auth, etc.). They don’t try to abstract away everything, but they do the fundamentals well — and that’s what matters most in security.
- I LOVE LLMs as a learning tool. I HATE LLMs as a communication tool. I know, there are people with serious handicaps who benefit from LLMs in this area. If only I could talk to those people and not wade through all this other garbage.
Especially when the AI is being represented as a person, this to me is dishonest. Not to mention annoying, almost more-so than the number of different apps that think they are important enough to send me push notifications to fill out a survey (don’t even get me started).
by DetroitThrow
1 subcomments
- Security companies that prioritize bugs being sold rather than be reported will eventually blow up. Good luck Okta shareholders.
by YouAreWRONGtoo
0 subcomment
- [dead]
- Seems the perfect opportunity to create a AI-generated "hackers" short with some prepared screenshots. /s
- [dead]
by Brian-Watkins
0 subcomment
- [flagged]
by Will-Reppeto
1 subcomments
- [flagged]
by Aldipower
2 subcomments
- WTF is Okta?
- FWIW, the employee reply (who the author is putting on blast) seems like it was written by a human, not an AI.
"You're absolutely right!" is the Claude cliche (not a ChatGPT one) - "You are absolutely correct." is not that.
Hacker News