IdPs like Microsoft, Google, Okta, Ping, etc do not want us to have a generic, pluggable interface to them.
If there were a simple, universal API spec: You could swap providers easily. You could avoid buying their bloated “client SDK” or “managed platform.” You would cut into their lock-in and cross-sell opportunities.
So they intentionally keep the API surface incomplete and browser-tied. The SSO market is rent-seeking and moat-driven. Consistency undermines their margins.
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
The answer, as always, is rent-seeking economics.
Date: 2025-06-24 07:35 pm (UTC)If there were a simple, universal API spec:
You could swap providers easily.
You could avoid buying their bloated “client SDK” or “managed platform.”
You would cut into their lock-in and cross-sell opportunities.
So they intentionally keep the API surface incomplete and browser-tied. The SSO market is rent-seeking and moat-driven. Consistency undermines their margins.