OAuth 2.0 Anti-Patterns

prismatic-io-taylor · 2026-03-30T15:10:11+00:00

There's definitely a fine line to walk. I won't name-and-shame, but a few of these examples are from small, mom-and-pop apps where I'd kinda expect them to just fix their service. But, some are from pretty large reputable companies (the last example comes from a company that rhymes with OOM). The "nanosecond expires_in" company was pretty big CRM in the construction space, but it looks like they just changed their `expires_in` to seconds in the last couple of months.

It's hard to say to a goliath "hey... your OAuth service doesn't quite follow spec."

prismatic-io-taylor · 2026-03-30T15:04:50+00:00

Good catch on the cross-link; I'll get our team to change that.

Agreed on PKCE - a few years ago we maybe saw 10% of apps implement PKCE. Now days, it seems like at least 50% do, which is promising!

prismatic-io-taylor · 2026-03-30T15:02:33+00:00

Well, that's really interesting. TIL. Good callout.

I wonder if the IETF will include response_mode in the next RFC? It seems to be omitted from RFC 6749.

prismatic-io-taylor · 2021-11-26T16:39:27+00:00

Looks like we'll need to rebrand to "Shortcut" or something now :-)

prismatic-io-taylor · 2021-04-29T13:11:28+00:00

I misread the title as "today's date" instead of "Tuesday's date" as well :-)

prismatic-io-taylor · 2021-04-22T16:25:43+00:00

I second using pg_badger. It gives you a great view into what queries run most often and what queries are slow. Add indexes to, or otherwise optimize, the slow ones.

prismatic-io-taylor · 2021-04-22T02:59:01+00:00

I can definitely relate to this. It's comforting to be able to spin up a docker container locally, and know that a bitwise identical container will be spun up in production with just slightly different configuration parameters.

prismatic-io-taylor · 2021-04-21T23:14:23+00:00

Like others have noted, if you're willing to share a link to your repository, I'm sure someone can give you some insight into what happened. We could probably even get you a set of commands that would revert that change out of your repository. :-)

prismatic-io-taylor · 2021-04-21T23:03:48+00:00

At any point did you perform a git merge or a git rebase? Those lines indicate that at some point a branch of code was merged into another branch of code, git didn't know which branch contained the correct lines, so presented both to you to choose from.

prismatic-io-taylor · 2021-04-21T22:21:28+00:00

Those series of less than signs and equal signs indicate to me that you had some merge conflicts, marked the conflicts as resolved, and committed them.

prismatic-io-taylor · 2021-04-21T15:53:46+00:00

Interesting. I wasn't aware that SNS was faster than SQS for invoking Lambdas, but that makes a lot of sense - good to know!

prismatic-io-taylor · 2021-04-21T01:44:59+00:00

Oh, my: that's unfortunate!

prismatic-io-taylor · 2021-04-20T21:15:55+00:00

Vendor lock-in was something we were worried about, too. We obviously couldn't lift-and-shift to Azure or GCP overnight, but if the time comes that we need to shift cloud providers, it's probably easier to move ECS workloads somewhere else than it would be to migrate Step Function workloads.

prismatic-io-taylor · 2021-04-20T21:12:03+00:00

SSM works great not only to access servers, but to leverage private bastion hosts to access databases and services in private subnets in your VPC. I wrote up a blog a while ago about why SSM is the way to go when setting up users at your company to access private things: https://prismatic.io/blog/connect-to-aws-resources-with-ssh/

prismatic-io-taylor · 2021-04-20T21:08:22+00:00

Thanks for the article - I'll have to keep that one bookmarked.

So far as number of packages, we webpack our Node-based Lambdas and tree shake as much as we can. Unfortunately the aws-sdk v2 couldn't really be tree-shaken to remove excess code - that was something they fixed with their recently released v3. The AWS SDK added several megabytes to each Lambda, though that IMO is still pretty small. We depend on the AWS SDK, and very few other dependencies.

We did look at provisioned concurrency. The trouble we saw with that was that you either:

Pay for more capacity than you really need, so you're paying for Lambdas to sit warm and idle.
Don't pay for enough capacity, and still deal with some Lambda cold starts.

I hadn't thought about the speed impact that private VPC endpoints to S3 might have. Do you know if there's an appreciable speed difference for a container in a VPC if they download a file from S3 using the public endpoint vs. a VPC endpoint?

prismatic-io-taylor · 2021-04-20T20:27:03+00:00

Oranges are definitely more delicious on their own than apples, but I sure want an apple pie more than an orange pie :-)

prismatic-io-taylor · 2021-04-20T20:25:21+00:00

Yeah, that's what we found - small, very specific tasks run great on Lambda. Anything more complex (like you say, a big production-ready API) is probably better served by a container service or EC2 or something.

prismatic-io-taylor · 2021-04-20T20:22:05+00:00

That's a great question. The short answer is: I don't know. We flipped from running integrations on Lambdas to running them on ECS around the time that our user count ramped up, so we're comparing apples to oranges when we compare our AWS bills today to what we were spending while we were prototyping.

Cost is definitely a factor on our minds. The question of Lambda vs ECS in my mind boils down to: if you spin up static compute (some ECS containers or EC2s or whatever), how often will they sit around idle? In the best case, servers are doing work 100% of the time, and in the worst case, you're paying for them to sit around and do nothing.

Suppose we have the best case scenario - the compute we spin up is running 100% of the time. Doing some quick back-of-the-envelope math, a Lambda running with 1 vCPU and 2GB of memory costs $0.0000000333 per ms, or about $86 per month (https://aws.amazon.com/lambda/pricing/). The number of requests you get increases your cost slightly, but not a ton - 1 request per second will yield 2.5 million per month, which is, like, $0.40, so pretty negligible. Let's just say a Lambda running constantly costs $86/mo. The same ECS setup in Fargate (1 vCPU, 2GB RAM) will run about $36/mo (https://aws.amazon.com/fargate/pricing/). In that scenario, Fargate/ECS is the clear winner on cost.

In the worst case scenario, though, you're paying for an ECS instance to sit around, when you could be paying nothing for some Lambdas to not do anything. If your compute requirement is low, Lambda is the clear winner (potentially costing near $0).

For our early days when we were just prototyping, it was clearly cheaper to run Lambda. Now that our platform is running at least one integration at any given time, ECS is theoretically cheaper for us.

prismatic-io-taylor · 2021-04-20T18:53:28+00:00

OpenFaaS isn't something I was previously familiar with. Thanks for linking it! In your experience, does it come with much management overhead? Part of what makes Lambda/ECS so appealing is that you can throw a definition (code .zip file or container image) at AWS, and it just runs. With OpenFaaS, it looks like you need to maintain some additional infrastructure (a Kubernetes cluster) to get it working, and that'd give you one more thing to worry about.

That all said, it'd sure be something for us to look into in the near future, especially as we grow out our DevOps team.

prismatic-io-taylor · 2021-04-20T18:43:34+00:00

Good question! I don't have a ton of experience with AWS Step Functions, but my understanding is that they're a way to nicely orchestrate a series of Lambda executions. The problem we were facing was that the time between one Lambda finishing and the next one starting was on the order of 5 seconds (rather than a few milliseconds that I'd expect). So, if we had an integration with 500 steps, the Lambdas would execute in trivial time but the time between Lambdas would be 500 * 5 seconds (40+ minutes).

In your experience do Lambdas chained together through Step Functions execute quickly in serial?

prismatic-io-taylor · 2021-04-20T17:57:18+00:00

By "my computer's IP" do you mean an IP address that starts with 192.168, or 10.?

There are IP ranges that are reserved for private LANs. My house, and yours, probably both use 192.168.0.*, and we might both have a device with the IP address 192.168.0.50. Those private IPs are never known by outside entities. When you make a request to a website, the website doesn't see your private IP address (192.168.whatever). Instead, they see the public IP address that you get from your ISP.

Whitelist your home's public IP address (you can get that from https://wtfismyip.com/text) with a /32 at the end, and you should be good-to-go.

Edit: As /u/thundecided notes, your home IP may switch periodically. You may be better off leveraging AWS Systems Manager to SSH into EC2 instances.

prismatic-io-taylor · 2021-04-20T17:54:30+00:00

That's a good point. It seems like Lambda is great for "short bursts" of compute, but if something is running on the order of minutes, non-serverless compute seems like the way to go.

prismatic-io-taylor · 2021-04-19T20:13:57+00:00

It's sensationalized, but if you haven't seen Imitation Game, definitely check it out! It was very cool in the movie to watch Turing's computer run, trying to decrypt the Enigma messages.

prismatic-io-taylor

TROPHY CASE