I agree that one should push back, but I suspect we have different notions of when to do that (which is fine, my approach here is not fixed in stone). Making a page needlessly dynamic would be a concern for me if it violates business rules or for whatever reason harms the overall system. But if it doesn't do that, and it genuinely does make the business and users happy, then I'm happy to do it and then get a bit of leverage to take some time to tackle tech debt that needs addressing on the backend.
We are using it for our apps, but I can see why people do not use it for new projects:
1. The state of C++ is not great. Few developers, C++ footguns, complicated build systems, and generally slow progress, see my https://arewemodulesyet.org/
2. How Qt presents and licenses itself. Either you go LGPL or you have to pay big money for a commercial license, which will then infect all other apps as well. For example, when you have two Qt apps that talk to each other you must license _both_ commercially.
3. The split of Widgets and QML makes the ecosystem fragmented, because Widgets will never die. Even the Qt devs themselves are split about this. You can see this when example code for a new feature uses Widgets. QtCreator is also a nice example, where they reverted some new QML code quite a while ago and have not substantially added any new QML code since then.
4. Tooling: We use QML for everything and the tooling is not great. The language server is still super flaky and breaks, and developer tooling like the Chrome Dev Tools is virtually nonexistent.
5. Packaging is still also not great but has gotten better in the last few versions where Qt creates a deployment cmake script for you, but you still need logic for your own (vcpkg) packages.
Those are not native (on desktop) in any sense of the word. They don't use native controls. For that, you want WX or SWT, but those come with their own sets of problems.
On Windows, it's not even obvious what native is any more, even Microsoft just uses Web views. Mac is a bit better, but there are still 4 UI libraries to choose from (AppKit, UIKit through Catalyst, native SwiftUI and Catalyst SwiftUI).
I'm personally a fan of AppKit and Win32, but those are "dated" apparently.
I am working on the UI library and bindings for Go. Still not finished, but currently, the same app can be compiled for Win32, Cocoa, GTK2, GTK3, GTK4, Qt5, Qt6, and Motif. There is a web browser control, a GL canvas, and a regular canvas. I still work on the native table control, though.
IUP has custom-drawn controls for tables and cells (additional controls), and it uses another CD (canvas draw) library for that, not internal IUP Draw functions. I also started rewriting that to use the core IUP drawing functions instead. I also added a few more drawing functions, for rounded rectangles, bezier curves, and gradients. But ALL drivers, including Motif, have native table controls, so I really want to add one.
Edit: Also, the GLcanvas control now has an EGL driver, with native Wayland support for GTK3, GTK4, and Qt6 (needs private headers). I modernized a bit of everything, added support for APPID, DARKMODE, etc. Linux uses xdg-open rather than hardcoding browsers. Win32 driver is not using the Internet Explorer web control but the WebView2 with custom loader, on GTK, you do not have to worry about the WebKitGTK, it will find the correct library with dlopen, etc, etc. But, there is still a lot to do.
gp was using a more restrictive definition of "native controls". I.e. "o/s builtin UI controls" vs "framework canvas painted elements".
For Windows, "native" would be the classic Win32 UI "common control" elements from "Comctl32.dll"[0] that is directly used by older GUI frameworks such as Windows Forms. Those map to classic Win32 API CreateWindow(L"BUTTON", ...). In contrast, the newer frameworks of WPF and Xamarin Forms and Qt Quick "paints controls on a canvas" which are not "native" and makes every app UI look different instead of standardized "look & feel" of common controls.
But others include custom-canvas painting UI objects as "native" -- as long as it's not Electron.
It's worth noting that some cross-platform toolkits are non-native in the strict sense, but mimic each platform's native controls.
This is harder to get right than one might think; small differences in text rendering look very much alien to me, and user input handling that isn't exactly the same as the platform's native conventions will make me stumble every time I perform common operations.
In my experience, Qt does an excellent job with this. It's not technically native (except on KDE and other Qt-based desktops), but it looks and feels right, or so close that I find it comfortable and well integrated with the rest of each platform I've tried. I haven't found any other cross-platform toolkit to match Qt in this area, so that's what I use for now.
Some day, I hope we'll see an alternative that accomplishes this at least as well as Qt, while being more flexible to license, easier to bind to other languages, and better at memory safety. (It's written in C++.) There seems to be renewed interest in GUI toolkit development lately, perhaps fueled by the excitement for newer languages like Zig and Rust, so perhaps I'll get my wish.
As far as I can tell, Qt Quick doesn't have anything like the same set of
polished widgets that integrate nicely into the target platform. It's been
this way for years, they just don't seem interested in implementing them.
I wouldn't exactly call Flutter native. It uses its own rendering engine and doesn't necessarily behave like operating system native controls. It is not really different from using electron.
Using electron at least uses some UI primitives from chromium. Flutter has thrown away all the usability and robustness of existing components and just reimplemented everything. It absolutely is different from electron
"Native" seems to mean different things to different people. I'm mostly with you on this, but the tides are turning. In any case, the other 3 do use real native widgets.
Of course, there's no need for them to be. But this conversation started out with "why do people use web based UI solutions?" and "because there is no proper UI library that does cross platform as well as the web".
Making good GUI software requires a lot of iteration and trial and error before you're satisfied with the UI and UX. With a web-based tech, you make a change, auto reload triggers, you see the change almost instantly, making tweaking very easy. If you're working with a large Qt codebase, every little change to a header file requires a long ass compile times. It's really frustrating when you spend an hour just tweaking a few controls when you know it could have taken 5 minutes. Also, the reactive model as seen in web frameworks like React or Vue is much superior to the typical flow of state management in retained mode GUI applications in desktop frameworks. Until we have a decent solution that solves these problems, people will continue using tech like Electron or OS web views.
On the other hand, the developer convenience offered by Electron et al. comes by sacrificing runtime efficiency. It's astonishingly wasteful of resources, and that waste gets multiplied by every computer that runs the program, and every time it is run. The long-term costs saved by the developer are thereby amplified and pushed onto the users, in the form of shorter hardware upgrade cycles (and potentially increased electricity usage).
Just as a book will be read many more times than it is written, the burdens associated with a program's architecture will be borne many more times (collectively) by its users than by its developer. This is why I avoid web-based tech when building applications.
Relatedly, I'm glad to see that sustainable computing has begun showing up in global discourse.
It takes half a day to implement proper hot reload in QtQuick, which also has all the reactive features. Even less now that AI can just write it for you, and it’ll be more performant than Vite dev builds.
Coming to desktop app development from the web, I’ve got most of the same conveniences I’m used to like GammaRay as the inspector. The only real difference is I’m willing to wade through cmake and linking errors.
Even QWidgets is still super fast to develop with if you’re using PySide (although hot reload is a bit more difficult to implement and distribution becomes the nightmare).
QML is not native, PySide uses Python. If you pick either of those, you lose native controls and low level language for performance, so again, may as well use web-based tech. Especially that HTML/CSS support significantly more styling/animating options than QML.
But I already know how to write a web app, I don’t know how to write a desktop app. It’s faster to just write and wrap a web app, and as far as most people can tell, it works just fine.
To me, this argument always sounds like someone is being forced or threatened into creating a desktop app. It was never supposed to be easy; the goal is to create an app that users would want and will actually use.
I have been programming since 1986, have enough knowledge across several platforms, even though in 2025 distributed systems + Web UI pays the bills, I can still easily code native in a couple of UI frameworks.
Doing native UIs is only a matter of actually wanting to learn how to do it.
It's fast, quick, and easy, but it's peak programmer UI. It's pretty unattractive, does not integrate well with its host OS (in terms of behavior), and does not integrate at all with accessibility tools.
It's a long-winded article, even for a lawyer, but the payload seems to be a crack at the head of the RIAA, which is suing Midjouney.
"In other words, Glazier doesn't want these lawsuits to get rid of Midjourney and protect creative workers from the threat of AI – he just wants the AI companies to pay the media companies to make the products that his clients will use to destroy creators' livelihoods."
I don’t find it long winded. It just gives background and makes a bunch of valid points.
Mainly that creatives are being screwed because every time they get given extra rights they’re bullied into selling them for nothing.
So this right that they get the copyright back after 35y is different - because you can’t be forced to sell it for nothing.
We need more laws like this to help creative people make the money they deserve. Most creative people make a pitiful amount of money while studios / publishers / labels do better and better. It’s not sustainable.
It's a readable and enjoyable text about a complex issue. You can't really distill anything about copyright without actually talking about history, relevant examples, and how it affects other industries, or other creative works, or...
> The conclusion here is clear: the industry will want different things from you as it evolves, and it will tell you that each of those shifts is because of some complex moral change, but it’s pretty much always about business realities changing. If you take any current morality tale as true, then you’re setting yourself up to be severely out of position when the industry shifts again in a few years, because “good leadership” is just a fad.
Institutional rhetoric at high levels is always meant to manipulate labor markets, financial markets, popular opinion. This is basic worldly-wisdom. The question is how does one (who is not at a high level) survive the recurring institutional changes? There seem to be two approaches to an answer: Do one's professional best regardless of change, or try to anticipate changes and adjust with the wind. For the first, gods may bless you, but it is folly to think your bosses will respect you. For the second -- good luck, you're running with bulls. Either way, the pill to swallow is that most employees including managers are grist to the mill.
It's generally a symbiotic relationship though, as the workers grow their own resume while helping their boss grow theirs (and generally the boss is growing his own while helping his boss grow theirs and so on. Sometimes it goes all the way up where even the founder just wants that lifestyle subsidized by investor money and does not care to actually ever build a profitable product).
This kind of perverse incentive comes up when the rank and file has no meaningful way to profit off the company's success, and so it instead becomes more profitable (in future profits from the inflated resume, or kickbacks/favors from vendors, etc) to act against the company. Just like in security bug bounties, companies should reward their employees more than an external malicious actor would, otherwise they will choose the rational option.
Really sharp reasoning. This can be reversed to define an extra ordinary manager: don't care about your head count and just be a fucking grown up who's emotional state does not depend on his team's performance. IMHO this results in having a high head count and a team performing pretty well. Kinda stoic wisdom. Go and figure...
> the pill to swallow is that most employees including managers are grist to the mill
Meaning that employees are disposable, and their only purpose is to produce value for the business.
Your reply:
> Businesses exist to make money. If you want a commune instead, join one!
Thus agreeing with the parent that the sole purpose of a business is to make money above all else.
My reply:
> That's not the only reason why businesses can exist.
Your reply:
> Tell us about a business that does not exist to make money.
This is rhetorical sleight-of-hand to change the counterpoint from "prove me wrong by showing me a business whose purpose is not to maximally exploit employees to maximize the amount of money it makes" to "prove me wrong by showing me a business that does not make money".
I could respond to the latter with an easy "some businesses lose money and exist because the owner finds the process fun", but you could counter with the No True Scotsman of "a business that doesn't make money is a hobby, not a business".
Instead, I will respond to the former, which is the original point, and say that there are plenty of mom-and-pop (or larger) businesses, as well as cooperatives, whose goals are not actually to exploit the worker to maximize the amount of money they make, but is primarily to give the owners a good work/life balance, or to help their community, or to be owned collectively by all workers.
The American-style "walk over anyone to make money" isn't actually the only way to do business, but the kind of person who thinks it is will generally make the tautological argument of "if you aren't maximizing your profits, you aren't a real business".
I know of no business that does not involve making money.
I know of many businesses for which making money is not the primary reason to exist. And the majority of businesses do not try to maximize profit at all costs, even when their primary reason for existence is to make money.
Random example: I know someone who teaches singing. She no longer employs other people, but has done so in the past. The IRS agrees that it is a business. She makes money from it and depends on the money from it. She has other skills that would earn her more money elsewhere. If her business made moderately more money but no longer taught anyone to sing better, she would stop running the business and do something else.
If you're going to say that the business's existence depends on the function of making money, as in if that purpose were removed then it would be called a hobby and not a business, then that's a No True Scotsman argument and it's pointless to discuss.
There's that strawman again. The rest of your argument depends on that, and so is invalid.
I know lots of people who started businesses with the intention of making money (including me). None of them were willing to go at it "at all costs". I don't know where you get this strawman.
It's from the post you replied to, from the part you quoted:
> the pill to swallow is that most employees including managers are grist to the mill
You can't pretend that this part of the conversation doesn't exist simply because you didn't write those words. You were replying to someone who very specifically said this, you were agreeing with them, and to then basically claim "oh I didn't write it, I merely heavily implied it by agreeing with the parent" is disingenuous.
Dammit, Walter, did you not read any of the very extensive comment? It was an entire treatise about why that exact line is misleading and in bad faith, and you reply with it anyway?
It's not at all in bad faith. Businesses are formed to make money. If the IRS discovers that your business is not intended to make money, they will re-define it as a "hobby" and will not let you deduct expenses.
Surely you can give an actual example of a business not formed to make money?
P.S. When you talk about bad faith, I recommend that you do not invent things I did not write, put those things in quotes pretending that I did write them, and then argue with that strawman.
Your answer seems in bad faith because it ignores parts of the answer like this:
> "Instead, I will respond to the former, which is the original point, and say that there are plenty of mom-and-pop (or larger) businesses, as well as cooperatives, whose goals are not actually to exploit the worker to maximize the amount of money they make, but is primarily to give the owners a good work/life balance, or to help their community, or to be owned collectively by all workers"
Those are not hobbies and will not be categorized as such.
The point is that the goal of making money is not necessarily meant at the cost of crushing employees or considering them disposable. The person you're replying to is saying that's a very US-centric way of looking at businesses (e.g. maximize shareholder value even if it costs happiness) but that's not necessarily the only way of making money. It's very cynical to think it's the only way, because it reinforces the status quo (what are you going to do if you don't like it? That's business, join a commune instead!).
> The point is that the goal of making money is not necessarily meant at the cost of crushing employees or considering them disposable.
I never wrote that it was.
But as an employee, you and the business sign a contract in advance. The contract spells out the obligations of the company to the employee, and the obligations of the employee to the company. If you expect more than that, negotiate it as part of your agreement.
Also, if the company does not make money, how are the employees going to get paid? The company has to cut expenses, and that means some of the employees have to be let go. Companies also regularly evaluate employees, and if they are not delivering value in excess of what they cost, they'll be let go.
Yes, you can be let go. You'll also get the severance package you agreed to in your employment contract. You can also quit at any time for any reason. It's a fair arrangement. It's not a marriage.
It's ridiculous to expect every single aspect of the employer-employee relationship spelled out in the contract. There are - or should be - certain societal expectations that the employer will not cause undue stress or unhappiness on the worker. This must not be negotiated in a cutthroat manner; that's such an American thing to expect (which was partly stavros point, I believe).
There are other ways to conduct business that are less exploitative without requiring a specific clause in the contract saying the employee will be treated well.
Companies lay off employees for all sorts of evil reasons unrelated to "we will go under otherwise". There's reason to believe the "great layoffs season" of a few years back was at least partly an act of collusion by big tech companies (which it then cascades to smaller companies) which had more to do with regulating down wages than with them risking going under.
Someone mentioned a few weeks back Nadella's memo explaining some big layoffs at Microsoft where he rambled about how it seemed contradictory that the company was doing so well yet they were letting go so many employees "which we've known and learned from for years" yet "the Lord works in mysterious ways" (ok, I made up this last phrase, but what he said amounted to the same). He failed to point out a single specific reason, and in particular he never mentioned "or else Microsoft's profits will go down" or whatever. I guess if Microsoft ex employees don't like it they can go join a commune!
P.S. as an example of how American this is, in some countries companies cannot simply let someone go unless they can provide legal reasons for this (bad performance beyond all fair chances, justified cost cuttings, etc). You can argue whether this is good or bad, but the point is: there is more than one way of conducting business.
> It's ridiculous to expect every single aspect of the employer-employee relationship spelled out in the contract.
It's not necessary to spell out in the contract what the legal requirements are.
The words "exploitative" and "treated well" are very fuzzy words, and everyone has a different idea of what they mean.
> for all sorts of evil reasons
Then the employee can press charges or sue.
> regulating down wages
How that works out in the real world is companies cheat on these cartels. Remember when Jobs complained that Google was violating their "no poaching" agreement? Cartels are unstable and unable to enforce their cartels, so they don't really work.
Nadella does not need to justify his layoffs. If they don't fit into Microsoft's plans, they get laid off. Microsoft does not owe them a job. BTW, I know many people who have left Microsoft for a panoply of reasons. Many went to other companies, many started their own, some succeeded, some didn't, some went back to Microsoft. It's a chaotic, dynamic system. I also know some that made incredible fortunes off of their stock options. How horrible that Microsoft minted tens of thousands of multimillionaires out of their employees! Some even into 9 figures. What a hell-hole! Microsoft is probably the worst example you could mention as an evil employer.
Dummy me that didn't get hired on by MSFT in the 1980s. Or I shoulda invested everything I had into MSFT stock. When I went to the doc for a catscan, I asked the operator to set the dial to 1987 so I could tell my foolish earlier self to buy buy buy MSFT! Sadly, the catscan machine had the side effect of wiping my memory of the trip.
> You can argue whether this is good or bad
It's bad, because it makes businesses highly reluctant to hire people, which makes the economy less prosperous.
Only if his goal is to make money at all costs, which is the stance you're taking even if you protest you are not.
> It's bad, because it makes businesses highly reluctant to hire people, which makes the economy less prosperous.
(I preempted your reply, because it wasn't the point to debate whether employee protection regulations are right or wrong; the point was to show you there are different ways of conducting a business that are not merely about making maximum money).
Again, this (and pretty much everything else you wrote in your last comment) is a very American way of doing business, precisely stavros' point.
Thankfully there are other, more respectful ways, as others have pointed out repeatedly and you insist in ignoring.
> How horrible that Microsoft minted tens of thousands of multimillionaires out of their employees!
Complete non sequitur, since you're so fond of calling out logical fallacies.
> Dummy me that didn't get hired on by MSFT in the 1980s
Yes, I'm sure you'd be a millionaire and would be spared arguing with random guys on HN. Life's a bitch.
> Surely you can give an actual example of a business not formed to make money?
Why? That was never claimed. The claim was that businesses can have other reasons for existing in addition to making money. Furthermore, those other reasons can be a higher priority for a particular business.
This implies that this is the primary reason businesses exist. Or did you mean "that's just one reason, it might even be very low on the list of reasons, but it is one"?
Because, if you meant that, I don't know why we're arguing about meaningless pedantry and conversational sleight of hand.
FWIW, I enjoyed and agree with your thoughtful comment, and found the response disappointing. Having known privately-owned mom-and-pop businesses, I can confirm not everyone is out for profit at all costs, even in America. For some, it's enough to make ends meet doing something you're passionate about.
> I can confirm not everyone is out for profit at all costs, even in America
Definitely, I didn't mean to imply that every business in the US wants to profit at all costs, I just meant that the culture skews towards that. The US culture towards work tends to have a certain response to cases like one where someone has a popular product/service/business but would rather maximize work/life balance than income.
In other cultures, that's seen as much more of a reasonable choice than in the US, where the response tends to be more on the "I can't believe you're giving up tons of profit for more free time!" or similar.
No offense taken, I totally get it. As an American, I think we're pretty screwed up in our priorities, on many fronts. I hope we all (globally) can figure out how to slow down and work less! Life's too short to spend so much time grinding for money.
You are arguing with "at all costs" which I never wrote, and so do not feel any need to reply to that.
Mom and pop businesses definitely do it to make money. They aren't charities. They pay taxes on the money they make. And if they don't make money, what are they going to live on?
Non-profits are not out to make money, but (again) they are not considered businesses.
Nobody argued pop & mom ("and larger") businesses don't strive to make money, the argument was that that's not their only goal.
We're arguing against your "at all costs" because you did imply it. Maximizing money earned at the cost of employees well being and happiness is ONE way of making money, but not the only way. You can earn money but not seek to maximize the money at the cost of burning out employees, for example.
Then you're arguing with yourself, because I never wrote "at all costs" nor did I imply it. It's your (rather ridiculous) strawman.
Consider I want to enter a marathon with the intention of winning it. Do you think that implies I want to club the other athletes so I can win "at all costs"?
But that's the kind of argument you're making by dismissing opinions that e.g. clubbing other athletes since winning is the most important thing is bad, and that if we don't like it we should "join a commune".
Others have already explained that while a business must make money, that's not always the most important thing, there are competing goals (not excluding money, but sometimes as important).
And if you didn't understand the original comment by stavros, then he clarified what he meant. So now you have the chance to stand corrected: he meant making money at the expense of all else, including worker happiness. This point has been made more than once already, you cannot have missed it.
> if you didn't understand the original comment by stavros, then he clarified what he meant
I understood his original statement, and did not impute additional meanings into it. None of you have accepted that I did not write "at any cost".
> clubbing other athletes since winning is the most important thing is bad, and that if we don't like it we should "join a commune".
And there you invented YET ANOTHER strawman to bash me with.
Frankly, I'd like you to produce a clever argument that challenges me. Using logical fallacies, like strawmen, is kinda boring. It's easy enough to google the list of logical fallacies, and then you'll be able to avoid them and it'll be much harder to dismantle your argument.
Yes, we all know the basic requirements of business.
The replies to your comment are push back against your attitude of "biz make money, don't like it join a commune", in the context of grinding up employees.
We're saying there's a middle ground, where some businesses will sacrifice some profit in exchange for taking care of their employees, instead of treating them as disposable.
Businesses exist to produce value for a society. In return, many societies provide ways for those businesses to profit. But this is outside the scope of the article or my comment on it. Profitable or unprofitable, business leaders today seem to impose chaos on their subordinates, and it can be difficult to know when and how to react.
> "There basics," well understood and judiciously applied, is where the bulk of TypeScript's value lies.
Yes, precisely. OP is also completely oblivious to the fact that TypeScript is designed to help developers gradually onboard legacy JavaScript projects and components, which definitely don't require arcane and convoluted type definitions to add value.
Constructing a new OAuth2/OIDC Identity Provider from the ground up is an undertaking fraught with complexity – and not of the elegant variety. The reasons are numerous, entrenched, and maddeningly persistent.
1. OAuth2 and OIDC are inherently intricate and alarmingly brittle – the specifications, whilst theoretically robust, leave sufficient ambiguity to spawn implementation chaos.
2. The proliferation of standards results in the absence of any true standard – token formats and claim structures vary so wildly that the notion of consistency becomes a farce – a case study in design by committee with no enforcement mechanism.
3. ID tokens and claims lack uniformity across providers – interoperability, far from being an achievable objective, has become an exercise in futility. Every integration must contend with the peculiarities – or outright misbehaviours – of each vendor’s interpretation of the protocol. What ought to be a cohesive interface degenerates into a swamp of bespoke accommodations.
4. There is no consensus on data placement – some providers, either out of ignorance or expedience, attempt to embed excessive user and group metadata within query string parameters – a mechanism limited to roughly 2k characters. The technically rational alternative – the UserInfo endpoint – is inconsistently implemented or left out entirely, rendering the most obvious solution functionally unreliable.
Each of these deficiencies necessitates a separate layer of abstraction – a bespoke «adapter» for every Identity Provider, capable of interpreting token formats, claim nomenclature, pagination models, directory synchronisation behaviour, and the inevitable, undocumented bugs. Such adapters must then be ceaselessly maintained, as vendors alter behaviour, break compatibility, or introduce yet another poorly thought-out feature under the guise of progress.
All of this – the mess, the madness, and the maintenance burden – is exhaustively documented[0]. A resource, I might add, that reads less like a standard and more like a survival manual.
None of this rings true, and I've implemented both OAuth2 and OpenID Connect multiple times, also reading the specs, which are quite direct. I'm sure you're right that vendors take liberties -- that is almost always the case, and delinquency of e.g. Okta is what started this thread.
I have also designed and implemented enterprise grade OAuth2 / OIDC IdP's.
Beyond the aforementioned concerns, one encounters yet another quagmire – the semantics of OIDC claims, the obligations ostensibly imposed by the standard, and the rather imaginative ways in which various implementations choose to interpret or neglect those obligations.
Please allow me to illustrate with a common and persistently exasperating example: user group handling, particularly as implemented by Okta and Cognito. The OIDC spec, in its infinite wisdom, declines to define a dedicated claim for group membership. Instead, it offers a mere suggestion – that implementers utilise unique namespaces. A recommendation, not a mandate – and predictably, it has been treated as such.
In perfect accordance with the standard’s ambiguity, Okta provides no native «groups» claim. The burden, as always, is placed squarely upon the customer to define a custom claim with an arbitrary name and appropriate mapping. User group memberships (roles) are typically sourced from an identity management system – not infrequently, and regrettably, from an ageing Active Directory instance or, more recently, a new and shiny Entra instance.
Cognito, by contrast, does define a claim – «cognito:groups» – to represent group membership as understood by Cognito. It is rigid, internally coherent, and entirely incompatible with anything beyond its own boundaries.
Now, consider a federated identity scenario – Okta as the upstream identity provider, federated into Cognito. In this scenario, Cognito permits rudimentary claim mapping – simple KV rewrites. However, such mappings do not extend to the «cognito:groups» structure, nor do they support anything approaching a nuanced translation. The result is a predictable and preventable failure of interoperability.
Thus, despite both platforms ostensibly conforming to the same OIDC standard, they fail to interoperate in one of the most critical domains for medium to large-scale enterprises: user group (role) resolution. The standard has become a canvas – and each vendor paints what they will. The outcome, invariably, is less a federation and more a fragmentation – dressed in the language of protocol compliance.
> I've implemented both OAuth2 and OpenID Connect multiple times
Whilst I do not doubt that you have made multiple earnest attempts to implement the specification, I must express serious reservations as to whether the providers in question have ever delivered comprehensive, interoperable support for the standard in its entirety. It is far more plausible that they focused on a constrained subset of client requirements, tailoring their implementation to satisfy those expectations alone at the IdP level and nothing else. Or, they may have delivered only the bare minimum functionality required to align themselves, nominally, with OAuth2 and OIDC.
Please allow me to make it abundantly clear: this is neither an insult aimed at you nor an indictment of your professional capabilities. Rather, it is a sober acknowledgement of the reality – that the standard itself is both convoluted and maddeningly imprecise, making it extraordinarily difficult for even seasoned engineers to produce a high-quality, truly interoperable implementation.
> I'm sure you're right that vendors take liberties -- that is almost always the case, and delinquency of e.g. Okta is what started this thread.
This, quite precisely, underscores the fundamental purpose of a standard – to establish a clear, concise, and unambiguous definition of that which is being standardised. When a standard permits five divergent interpretations, one does not possess a standard at all – one has five competing standards masquerading under a single name.
Regrettably, this is the exact predicament we face with OAuth2 and OIDC. What should be a singular foundation for interoperability has devolved into a fragmented set of behaviours, each shaped more by vendor discretion than by protocol fidelity. In effect, we are navigating a battlefield of pluralities under the illusion of unity – and paying dearly for the inconsistency.
Needless to say, OAuth2 and OIDC are still the best that we have had, especially compared to their predecessors, and by a large margin.
I grew up poor, but with two competing narratives about poverty filling our ears at home. You see, my mother came from a well-off upper middle class ("prep") family, and my father came from generational poverty in Appalachia ("trailer trash"). They met in D.C. where he was a soldier and she worked at the Treasury.
Due to my mother's urging, he ended up being the first of his family line to graduate from college -- however, he didn't perform well in his profession, became more or less unemployable, and we ended up back in Appalachia. Here Mother refused to work in protest, while Dad bartered, bargain-hunted, salvaged, gardened, and begged to keep us in food and shelter.
His narrative was that poverty isn't so bad, he'd enjoyed a dirt-floor lifestyle as a kid, if you get sick or someone dies it's not worth dwelling on. Keep your chin up, argue with the bank, eat junk food, tell jokes before bed till everyone cries laughing. "What you going to do about it? There's nothing you can do about it." Her narrative was that anyone can be rich with enough effort. One has to work with complete dedication, sleep little, constantly increase one's education, one's social network, personal abilities -- it's an endless fight that should be taken on with zeal. "There's always room at the top."
I've pushed to realize my mother's doctrine, with very mixed success, and I've often been glad to have my dad's absolution to fall back on.
We were burned by Aurora. Costs, performance, latency, all were poor and affected our product. Having good systems admins on staff, we ended up moving PostgreSQL on-prem.
Okay, but on the other hand maybe you should do the right thing and say no.
reply