Skip to main
raw-dogging oidc with
Timo Mämecke
Skip to content
Jump to navigation
· 3 minute read

I’m not an AI sceptic. I’m a people sceptic.

I’m currently working on adding an OAuth/OIDC authorization server at work. Claude told me twice, on different occasions, to just implement the OAuth provider from scratch. No library, just raw-dog OAuth and OIDC completely from scratch. It said it would be worth it, because it’s only ~500 LOC.

Sure bro. It’s 500 LOC until it’s not anymore. Until you need to add the next OAuth grant.

I wasn’t interested in building it myself, and I didn’t ask for it. I had already installed node-oidc-provider and simply asked Claude to create the necessary configuration and fill it with some examples so I don’t have to read through the docs. That’s when it told me the library doesn’t support what I wanted (comparing hashed client secrets) and that we should instead build everything ourselves.

Of course the library supports it. It supports freaking everything. node-oidc-provider’s docs aren’t great, but that’s exactly why I asked Claude to research it for me in the first place.

Implementing this yourself is horrible advice. Never implement auth from scratch, especially not an OAuth/OIDC provider, unless you’re doing it for the lulz (to learn), or because you’re creating a standalone project that you intend to maintain responsibly for years.

The first time Claude suggested building it myself was in the initial plan. I explicitly said “wtf no, we won’t build this from scratch” and changed it. It was so convinced that rolling our own OAuth was the better solution that it suggested it again anyway.

I’m experienced enough to know this. I’ve added OAuth flows on multiple occasions in the past.

But what if I wasn’t? What if I were a junior dev? Or a pure vibe coder?

That scares the shit out of me.

I think I’m very good at structuring code. It’s my favorite part of programming. I have a good gut feeling for it. Claude is my bitch. It’s here to do what I don’t like to do. It’s not very good at structuring code. So I provide the structure: files, boundaries, functions, interfaces. It’s fun, I know it will be good, and I can do it fast. Claude does the boring implementation work.

Seeing how Claude structures code on its own scares me. It’s often short-lived and headed toward a large refactor. That’s where bugs and regressions happen. This concern isn’t new, because humans do this too. But the speed and volume at which we can now do a major refactoring has changed dramatically.

I’m scared of a future where the apps and tools I use are unstable, where you constantly encounter bugs and hear about more and more avoidable security issues.

This can be solved with AI. You can run security reviews, architecture reviews, or enforce strong code guidelines with agents. But to do that, you need expertise. You need to understand why certain things are non-negotiable, like never raw-dogging an authorization server. And right now, I don’t see enough people talking about that.

I’m not scared or sceptic of AI. I’m scared and sceptic of people. Sometimes even of myself.