The continued anticipated funeral dirge for Apple

"It’s a common refrain these days — just search Google for 'Apple is too dependent on the iPhone'.
Arguing that Apple is in trouble because the iPhone is so popular is like arguing that the ’90s-era Chicago Bulls were in trouble because Michael Jordan was so good."
- John Gruber, Daring Fireball 

Five basic laws of devops in this age


1. The best way to troubleshoot a problem is to give a dumb solution on the Internet. You will be flooded with corrections.

2. DevOps are promoted according to their level of ability. Once they reach a position they're not capable of handling, they won't be promoted any more. But they will stay in the position they can't handle.

3. There is no security encryption scheme that doesn't have a way to be hacked.

4. Code reviews are very good at helping make buggy code more readable. So they got that going for them.

5. The probability of being called an idiot varies directly with the number of comments posted in a discussion.






How to set your session length with mod_auth_openidc

There are two things to set:

# (Optional)
# Interval in seconds after which the session will be invalidated when no interaction has occurred.
# When not defined, the default is 300 seconds.
OIDCSessionInactivityTimeout 3600

And then you can also set:

# (Optional)
# Maximum duration of the application session
# When not defined the default is 8 hours (3600 * 8 seconds).
# When set to 0, the session duration will be set equal to the expiry time of the ID token.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: session_max_duration
OIDCSessionMaxDuration 24000

When the "Satisfy Any" directive f***s your openID Connect conf file

Suppose you are using the apache mod auth_openidc_module for your openID Connect authentication. Be careful how you set up your location directive:

OIDCRedirectURI https://www.YOURDOMAIN.com/oauth2callback
        OIDCCryptoPassphrase <password>
        OIDCScope "openid email"

        <location>
          AuthType openid-connect
          require valid-user
          Require claim hd:YOURDOMAIN.com

          Allow from SOME IP ADDRESS
          Satisfy any
       </location>
      
This part of the conf file is supposed to mean that you are using authentication via openID Connect at the top level of the website. It also whitelists requests from a specific IP address, which allows them to bypass openID. But it won't work this way. You'll find that the Satisfy Any suddenly allows you access from any IP Address without authentication. The solution is to have a default DENY directive:
OIDCRedirectURI https://www.YOURDOMAIN.com/oauth2callback
        OIDCCryptoPassphrase <password>
        OIDCScope "openid email"

        <location>
          Order deny,allow
          Deny from all

          AuthType openid-connect
          require valid-user
          Require claim hd:YOURDOMAIN.com

          Allow from SOME IP ADDRESS
          Satisfy any
       </location>