> Are you not outsourcing to an intermediary with Apple/FB/Google?
This is a product decision, it gets you better security (on average), brand association that may be good for the right product/SSO combination, easier signup (at least in theory), and in many cases is necessary for integrations with those services.
Using Hellō gets you better security (on average), but not as much as going direct. It loses some of the brand association, and in fact I'd suggest many users would probably want to whitelabel Hellō. It adds an extra step to sign-up over direct integrations. And it likely complicates integrations with the services.
> I'm sharing my experience. Apple requires a D&B number to register your app. Many require you to jump through their process for proving control of a domain. Microsoft requires you register as a partner if you don't want the scary unverified label. FB disabled Hellō for not having the correct link to the app, then disabled for not having a required term in our T&S.
Facebook will ban apps for all sorts of reasons, but having experienced the nasty end of this I unfortunately suspect that Facebook might take issue with it, and Hellō may become a single point of failure that could cause a FB login outage across many services.
> FWIW I don't use libraries for the OIDC flows -- I find it makes it more complicated than it needs to be. I do use libraries for any JWT work of course.
I've seen good ones and bad ones. The one that I was thinking of when I wrote my original comment was Django All Auth. It gives you much the same effect as Hellō, and in my experience setup of the library has not been difficult, and has made it easier to implement multiple flows quickly. Devise for Rails was a bit of a pain 9 years ago though.
It probably all depends on access to high quality libraries in your ecosystem of choice how much you value things like Hellō, and having a lot of Django experience I just don't really feel the value proposition.
As a developer, you don't know which provider the user has chosen, and the provider does not know which apps the user is using, improving privacy and resiliency.
> And it likely complicates integrations with the services.
If you want access to resources at the provider, such as Google Calendar, then you will need to directly integrate to get the access token. Hellō provides identity, not access to resources.
This is a product decision, it gets you better security (on average), brand association that may be good for the right product/SSO combination, easier signup (at least in theory), and in many cases is necessary for integrations with those services.
Using Hellō gets you better security (on average), but not as much as going direct. It loses some of the brand association, and in fact I'd suggest many users would probably want to whitelabel Hellō. It adds an extra step to sign-up over direct integrations. And it likely complicates integrations with the services.
> I'm sharing my experience. Apple requires a D&B number to register your app. Many require you to jump through their process for proving control of a domain. Microsoft requires you register as a partner if you don't want the scary unverified label. FB disabled Hellō for not having the correct link to the app, then disabled for not having a required term in our T&S.
These are all fair points!
Apple is a pain, in fact I wrote up a long post about all the issues, although I'm not sure Apple via Hellō solves the ongoing issues, only the initial setup cost? – https://danpalmer.me/2019-07-02-on-signing-in-with-apple/
Facebook will ban apps for all sorts of reasons, but having experienced the nasty end of this I unfortunately suspect that Facebook might take issue with it, and Hellō may become a single point of failure that could cause a FB login outage across many services.
> FWIW I don't use libraries for the OIDC flows -- I find it makes it more complicated than it needs to be. I do use libraries for any JWT work of course.
I've seen good ones and bad ones. The one that I was thinking of when I wrote my original comment was Django All Auth. It gives you much the same effect as Hellō, and in my experience setup of the library has not been difficult, and has made it easier to implement multiple flows quickly. Devise for Rails was a bit of a pain 9 years ago though.
It probably all depends on access to high quality libraries in your ecosystem of choice how much you value things like Hellō, and having a lot of Django experience I just don't really feel the value proposition.