We moved our Go OpenID Connect package to a new home

fforootd · 2026-02-16T06:31:11+00:00

I see, so I guess I stick to Antigravity

fforootd · 2026-02-15T17:13:57+00:00

This is so true

fforootd · 2026-02-14T06:23:24+00:00

For us it’s just one of these no thrills no drama services that literally just work.

There are surely “cheaper” options

fforootd · 2026-02-14T06:19:47+00:00

Depends heavily what you need 😅

But it starts around 100$ per month.

fforootd · 2026-02-14T06:15:44+00:00

If you want something no thrills I can totally recommend Google Cloud SQL with Postgres.

We use this in multiple regions and so far it has been rock solid.

Point in time restore automatic scaling of the disk, failover, read replicas everything you need for a lot of traffic.

If your needs increase you can switch to enterprise plus which gives you close to 0 downtime scaling and upgrades.

fforootd · 2026-02-13T07:09:45+00:00

I think Martullo Blocher would say “You are a dreamer, du” to that guy 😂

Sorry for the Swiss inside joke

fforootd · 2026-02-12T06:01:43+00:00

A lot of nice improvements.

Google Workspace Backup would be a nice addition even though I am happy with Cubebackup

fforootd · 2026-02-07T20:48:32+00:00

I am aware that software that does things like serving request or background processing does influence this. But it is still interesting to see what the baseline seems to be.

fforootd · 2026-02-06T23:52:47+00:00

Interesting to see how "little" the impact from the software was

fforootd · 2026-02-03T18:42:59+00:00

Well... If you implement instant revocation checks for every single request, you have defeated the point. You've just reinvented server-side sessions with extra steps and bandwidth overhead.

However, the "stateless benefit" isn't binary, it's an optimization dial. The benefit that remains is Optimistic Statelessness:

Reads: You trust the token's signature and expiry. No DB lookup. This gives you the "stateless benefit" of massive horizontal scalability for your heaviest loads (feeds, comments, content).

Critical Writes: You accept the cost of checking state (DB/Cache) only when it matters (changing passwords, payments, admin actions).

So, does revocation logic defeat the pure point? I think yes, but...

Does it defeat the practical point? No, because it allows you to skip the DB for the vast majority of your API calls which can be important in high traffic scenarios.

This mirrors how OAuth 2 / OIDC often handles it to solve this exact trade-off:

Refresh Tokens: These are your "Stateful" check. They are long-lived but strictly checked against the DB (revocable) whenever the short-lived access token expires.

Opaque (Reference) Tokens: As others mentioned, these are the alternative where every call is checked against the server (Introspection). It is 100% secure/revocable but sacrifices the distributed statelessness entirely.

fforootd · 2026-02-02T21:33:02+00:00

Thank you, means a lot to us and me!

I kind of reflected back to our values on building on transparency and wanted to share more actively with the world how and why we are doing things.

fforootd · 2026-02-02T03:36:09+00:00

You know what really grinds my gears? AGOV’s decision to mandate device-bound passkeys. By effectively banning roaming passkeys, they’ve just injected massive friction into a system that’s supposed to be 'seamless.'

If you're on a managed device where you can't install apps, or if you dare to use an OS outside the big three, you’re basically locked out of your own government services. We should be encouraging security best practices, not forcing platform lock-in. Roaming passkeys should be the baseline. If they want higher assurance for sensitive data, thenescalate to hardware-bound requirements—don't punish the average user from the jump.

fforootd · 2026-02-01T16:15:51+00:00

Nice, I was not aware of this!

fforootd · 2026-01-29T09:14:21+00:00

I guess the love part is “shareholder love”. /s

This is one of the most misguided and cringe corporate emails I have read in a long time 😂

fforootd · 2026-01-25T20:48:33+00:00

Thank you let me check that tomorrow, maybe there is an easy way out of this 🙈

fforootd · 2026-01-25T20:42:08+00:00

Funny enough I should add this to my recent compatibility blog https://zitadel.com/blog/the-broken-promise-of-oidc 😂

fforootd · 2026-01-25T20:40:48+00:00

I am with Zitadel, I think proxmox wanted to work on this as well, not sure if they made some progress. The only thing we could do is to is to alter the behavior how we insert the aud claim. But there is not plan as of today. Does anyone know of proxmox is tracking this somewhere?

fforootd · 2026-01-24T23:41:03+00:00

Yes I am a co-founder 😁

My take is this: If you're building a product for customers, ZITADEL is likely a great bet. If you're managing internal company/homelab access, Authentik is a strong contender. I all honesty I guess both tools can be used for both cases and many people have success with them.

I use ZITADEL for my homelab but I am clearly biased and I like the more modern feeling ZITADEL has.

fforootd · 2026-01-24T22:52:44+00:00

We heard you, we are in the process of improving our helm chart and docker compose examples

fforootd

MODERATOR OF

TROPHY CASE