Everyone who try to sell you "zero trust" security is lying - what about the trust in them ?
It is amazing how a company like Okta that has multiple security incidents (including a recent one where hackers accessed all customer data data) can still claim to be "World's #1 Identity Platform" on their web site
The concept of outsourcing security is problematic by nature and have that centralised to a single service provide (like Okta) is a ticking time bomb.
If an OpenID Connect (OIDC) provider (e.g. Google, Microsoft etc.) or its staff is compromised or malicious, it could impersonate users across applications or clients relying on it for authentication. For example:
Control Over ID Tokens:
The OIDC provider generates and signs ID tokens. If it is malicious or compromised, it can generate valid tokens that claim to represent any user, effectively impersonating them.
Access to User Credentials:
A hacked provider could capture usernames, passwords, or other credentials during the authentication process.
Authorisation Code Interception:
If the provider is compromised, it can manipulate or forge authorization codes, bypassing normal security measures.
API Access via Access Tokens:
If the provider also issues access tokens for APIs, a hacker could misuse them to gain unauthorized access to user resources.
Federated Identity Implications:
If the provider integrates with other identity providers (e.g., via SAML, LDAP), a compromise at one level could cascade into other connected systems.