So I started to look over again for self hosting #oidc #authn. #pocketid, #voidauth, and #hanko are the simplest. All #passkey focused.
Yet still, Pocket ID is by far the easiest to run. Strictly Unix like focused on doing one thing. But doing one thing really well. 😎
Over the last few days, I've plunged into finally trying to understand how all of this Auth stuff works. (The landscape of Acronyms is almost as bad as with the CORS one) These are the videos/sites I would've liked to find from the beginning on: - The Auth Wiki from Logto, but only as a reference whenever some word is unclear (though that has duplicate pages for some reason) - Illustrated Guide to OAuth and OIDC (Youtube) - Everything you ever wanted to know about OAuth and OICD (though the mentions OAuth playground is currently broken, or so it seems) - OAuth 2 Simplified (Blog Post), which has been expanded into OAuth 2 Simplified (Book) # Not super-intuitive stuff - A normal web client shouldn't have a client secret (makes sense if you think about it), and needs to use PKCE - OAuth is only about _Authorization_ (read: Authorizing the service you're currently logging in to to access some resources on another service), OpenId Connect (OIDC) adds _Authentication_ (read: telling the service you're currently logging into who you are) to this. - In my head, every service supporting OAuth (or OIDC, at least) also supported something called "Public Sign Up". But that's not the case, most of them actually don't (which makes sense, because _Authorization_ and _Registration_ don't even belong to the same area)
I've added a note about (me learning) Auth :)
#Auth #Authn #Authz #OAuth #OIDC #PKCE
A 14-page technical design document covering very specific auth needs ought to keep the client busy for a while.
#SystemDesign #ArchitectureDesign #AuthZ #AuthN #Auth
@mozilla.ai MCPD #proxy with plugin system - Enterprise Context Management with #AuthZ / #AuthN, #Observability, #Audit, Rate Limiting. Validates request/response structure. Transforms Content Payload. Apache 2.0 lic
#MCP #ContextEngineering #AI #LLM #OpenSource
Link in 💬👇
New in Pomerium 0.31: A self-healing file-based Databroker with no Postgres required.
www.pomerium.com/blog/self-he... #IdentityAwareProxy #ZeroTrust #authn #authz
New in Pomerium 0.31: A self-healing file-based Databroker with no Postgres required.
www.pomerium.com/blog/self-he... #IdentityAwareProxy #ZeroTrust #authn #authz
Authentication via HTTP/3 is another key theme. SSH3 could integrate with modern methods like OAuth 2.0, enabling centralized identity management. This offers a path to simpler, web-centric access control for SSH. #AuthN 4/6
dev.to/dotnet/authe... - there's nuance in #ASPnet #authN. Thanks for walking through it github.com/softchris.
Heads up: FusionAuth was just named a Rising Star by KuppingerCole.
Their words: “Innovative vendors… with strong market potential and real product-market fit.”
Own your auth. Own your critical path.
🔗 fusionauth.link/41bCkOy
#ciam #infosec #authn #fusionauth #developerfirst
Wallets as both identity and authentication token...is there another way this can be done that doesn't bundle the two components 🤔 buff.ly/oXUdy34 #podcast #crypto #zklogin #web3security #authN
My DMV Wallet 🪪 working like a dream at the Hollywood- Burbank airport #SSI #AuthN #DigitalID #TrustTriangle
Confused by AuthN vs AuthZ? Not even sure what these abbreviations are?
Not sure where OAuth fits in all of this?
Sadukie recaps our "Auth Talk" webinar in this post:
https://blog.nimblepros.com/blogs/all-things-auth/
#AuthN #AuthZ #OAuth
In 5 minutes, Sadukie will be sharing insights on authentication, authorization, and OAuth on our YouTube channel!
Be sure to check it out here: https://youtu.be/-T8kJ1KVsp4
#TechTraining #OAuth #AuthZ #AuthN
Microsoft has fixed a Windows 11 24H2 and Server 2025 bug where passwords were failing to change, leading to authentication failures. #Microsoft #Windows11 #Authn
Default passwords (in this case voicemail PIN) strike again!
Many #AuthN systems support sending OTPs by phone call as an alternative/fallback to SMS (and is an accessibility requirement). But, they can't account for this attack vector.
(Oh, and use Signal, not Telegram)
#Identity #Security
