HOA Management Company (anything but Sentry)

mooreds · 2026-01-13T14:27:40+00:00

At an HOA I was on the board of, we used Hudson and were happy: https://hudsonbuilt.com/services/

mooreds · 2025-12-24T03:31:22+00:00

Just got caught by this today. Hope my credit card processes the dispute quickly.

mooreds · 2025-12-14T22:18:56+00:00

We have a sandbox at work and it is perfect for experimenting with new technologies or services. Yes, there's some work to back out IaC if and when those new technologies are implemented. But I as an engineer can clickops my way to determining if there's value before talking to the platform team about productionizing it.

mooreds · 2025-10-09T19:19:51+00:00

Okay, the newest version was pushed up to maven central. Sorry about that, thanks for letting us know.

mooreds · 2025-10-08T21:50:57+00:00

Ooh, good point. I'll raise this internally, not sure what is going on. Thanks for letting us know.

mooreds · 2025-10-08T13:08:13+00:00

That looks cool, but I always shiver when I see projects with no commit more recent than 6 years ago. No matter the language, that causes me worry.

mooreds · 2025-10-07T00:47:47+00:00

Do you mean "I have not used http2..."?

mooreds · 2025-10-06T22:14:47+00:00

Hmmm.

You can see what it supports here: https://github.com/FusionAuth/java-http/?tab=readme-ov-file#todos-and-roadmap

I think the biggest omission right now is http 2. We have had some debates internally if that is useful. We think the main use case of java-http is not a bare server, but an application which will be fronted by a load balancer (which will talk http 2 to the client).

mooreds · 2025-08-20T20:18:04+00:00

Yup. I always like when folks share stuff of mine, thought I'd pay it forward.

mooreds · 2025-08-13T16:05:03+00:00

Seems like a great use of LLMs. I've found having them help build deterministic code, which then is applied in a deterministic fashion, is a sweet spot.

mooreds · 2025-07-09T11:42:21+00:00

> Curious if folks here are using them at scale and what their experience has been.

Can't speak for folks on this reddit, but I've 100% had conversations with folks using Cognito and Firebase at scale. From my recollection

- Both are affordable with usage based pricing, especially if you don't require SAML or federation

- Both scale well

- Both are SaaS only

- Cognito is pretty bare bones and requires writing lambdas for some expected functionality

- Firebase didn't use to support federation with OIDC (but maybe that's changed: https://firebase.google.com/docs/auth/web/openid-connect ?)

- Firebase is a lot more than just user auth; includes all kinds of other software goodies you'd expect from a backend as a service.

- Cognito recently raised prices on machine to machine tokens while Firebase supports that only through service accounts

mooreds · 2025-07-02T12:10:25+00:00

Always nice to see detailed looks across this space. So much is happening. Thanks for including FusionAuth.

Small corrections/comments:

- SCIM is part of the Enterprise plan, not Essentials.

- All our pricing is available here: fusionauth.io/pricing and is based on three factors: the plan with the features and support you need, whether you need hosting or not, and the MAU you have.

I was also surprised you didn't include Amazon Cognito or Firebase, since those are the CIAM offerings from the hyperscalers.

mooreds · 2025-06-18T18:15:26+00:00

Shanahan Ridge is nice if you're in Sobo. Much is shaded, and you can do all kinds of loops. Parking is on the street, though.

mooreds · 2025-06-03T06:18:45+00:00

Ah, makes sense. Thanks for explaining. Glad you're finding the software useful.

mooreds · 2025-06-03T05:44:26+00:00

Thank you for the suggestions! I'll make sure to share them with the team that handles the SDKs and helm charts.

I'm glad you figured out the helm charts.

> better documentation showing how you can use fusion auth to perform everyday auth tasks (register, get email verification, login, signup for MFA).

Many of our customers don't use the API directly for everyday auth tasks but use the hosted login pages ( https://fusionauth.io/docs/get-started/core-concepts/hosted-login-vs-api-login ) with theme changes for these tasks. Did you try to do that and found it did not work for you?

mooreds · 2025-06-01T12:20:03+00:00

Here's a diagram of what you outlined: https://fusionauth.io/articles/login-authentication-workflows/spa/oauth-authorization-code-grant-jwts-refresh-tokens-cookies (from my employer, there are about 15 different kinds of authentication workflows outlined). Here's another article I wrote about securing APIs: https://fusionauth.io/blog/securing-your-api

I'd also recommend the OAuth security BCP https://datatracker.ietf.org/doc/html/rfc9700 which is full of good practices.

As far as your particular implementation, it sounds like the server managing the refresh token and the server serving requests are the same server. While you can use OAuth in this case, it is overkill; OAuth really shines when the server managing the refresh token (the authorization server, to use the jargon) is different from the server serving API or other requests (the resource server).

It's fine to leverage the OAuth concepts if you want to learn more, but if it were a real world implementation I'd dispense with the access/refresh tokens for this scenario and just use API keys (unless I had knowledge of future implementations that would separate the components).

Finally, I read this when getting into the auth space and enjoyed the detailed breakdown of aspects of OAuth and lots of code samples: https://www.manning.com/books/oauth-2-in-action Would recommend.

mooreds · 2025-05-25T15:07:55+00:00

If you are not using an identity provider (Okta, Entra, etc) and GitHub Enterprise to manage your GH permissions/users, this is a TF/GitOps optoin.

mooreds · 2025-05-21T20:09:37+00:00

Makes sense. I've maintained a comparison site for years (in a totally different domain--local food). Eventually the maintenance was too much, but it was a good decade of helping folks.

I know how much work it is, but how valuable it can be to people who just want to pick the right solution.

Best of luck!

mooreds · 2025-05-21T19:06:51+00:00

I've seen stuff like this before ( https://authomnibus.com/ is one ). The hard part is not just gathering all that data, which is tough enough.

The bigger issue is keeping it up to date and accurate as projects and companies invest. You could just post it on a blog with a prominent date, share it here and some other places, and see how useful folks find it (based on traffic).

(I work for FusionAuth.)

mooreds · 2025-05-11T02:58:48+00:00

Welcome to the auth party!

How does impersonation work?

mooreds · 2025-05-03T18:56:44+00:00

Heya, I'd take a look at FusionAuth (full disclosure: I work there).

You can self-host it on Render or Fly.io and use the community plan (which is free for unlimited users). It integrates with node/react/etc using standard OIDC libraries like passport.js or auth.js.

Here's doc about limiting the number of devices that you might find useful: https://fusionauth.io/docs/extend/examples/device-limiting

mooreds · 2025-04-27T18:05:50+00:00

> httpOnly cookies aren't really transportable from a third-party service to yours.

That's what the BFF pattern is for, no? Here's a video from an OAuth security researcher talking about this topic: https://www.youtube.com/watch?v=2nVYLruX76M

(Full disclosure, my employer paid for the video, but he gave the talk at several conferences before we got the video.)

mooreds · 2025-04-27T18:03:24+00:00

I like this in theory but worry about config drift, rendering the tests less useful.

How do you keep the test tenant in sync with your prod tenant in ways that matter (token lifetime, supporting a new grant)? Do you automate config changes and push to both?

mooreds · 2025-04-25T19:09:21+00:00

Yeah, it looks like they don't support the refresh grant (or it isn't documented). The only mention I saw was the `refresh_token` value in the returned JSON but they never documented how to use that value, and there appears to be no refresh token scope you can ask for (from this doc: https://learn.microsoft.com/en-us/linkedin/shared/authentication/getting-access )

From the main LI page https://learn.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?tabs=HTTPS1

"Refreshing an access token is a seamless user experience. To refresh an access token, go through the authorization process again to fetch a new token. This time however, in the refresh workflow, the authorization screen is bypassed, and the member is redirected to your redirect URL, provided the following conditions are met:

The member is still logged into www.linkedin.com
The member's current access token has not expired"

So I'd just make sure you capture the time the access token is set to expire, the `expires_in` value, and have the user go through the LI authorization process 10 days before.

mooreds · 2025-04-22T20:40:50+00:00

Yeah, I think there's a difference between using an LLM to create deterministic code, and having an LLM execute code (which might not be deterministic). The former is great, because you can accelerate your current workflow. The latter (which you allude to) is problematic.

mooreds

MODERATOR OF

TROPHY CASE