Auth

OAuth 2.0

• RFC 9126 - OAuth 2.0 Pushed Authorization Requests
• RFC 9449 - OAuth 2.0 Demonstrating Proof of Possession (DPoP)
• RFC 7591 - OAuth 2.0 Dynamic Client Registration Protocol
• RFC 8417 - Security Event Token (SET)

Phantom Token

• The Phantom Token Approach

Split Token

• The Split Token Approach

OAuth 2.0

• Client ID Metadata Documents
• OAuth2 Proxy - Reverse proxy that provides authentication with Google, Github or other providers.
• OAuth2 for Go
• OAuth 2.0 Security Best Current Practice (2020) (HN)
• OAuth 2 Simplified
• OAuth2 Rust - Extensible, strongly-typed Rust OAuth2 client library.
• OAuth in one picture
• yup-oauth2 - Utility library which implements several OAuth 2.0 flows. It’s mainly used by google-apis-rs, to authenticate against Google services.
• Everything You Need to Know About OAuth (2.0) (2020) (HN)
• OAuth 2.0 and OpenID Connect (in plain English) (2018)
• gologin - Go login handlers for authentication providers (OAuth1, OAuth2).
• ORY Hydra - Hardened, OpenID Certified OAuth 2.0 Server and OpenID Connect Provider optimized for low-latency, high throughput, and low resource consumption.
• SAML vs. OAuth (2021) - Engineer’s Guide to Enterprise-grade Single Sign-on.
• node-oauth2-server - Complete, compliant and well tested module for implementing an OAuth2 server in Node.js.
• OAuth is Not User Authorization (2020)
• OAuth2: A Theatrical Introduction (2020)
• OAuth 3 - In-progress effort to redesign OAuth from the ground up. (HN)
• OAuth 2.0 Simplified - Guide to building OAuth 2.0 servers.
• Do You Know Your OAuth Flows? (2021)
• Hidden OAuth attack vectors (2021)
• oidc-provider - OpenID Certified OAuth 2.0 Authorization Server implementation for Node.
• OAuth 2.0 Authentication Vulnerabilities (HN)
• The Modern Guide to OAuth (2021)

Resources

• Basic HTTP Auth via Cloudflare Workers - Can be used to protect static HTML pages.
• Single Sign-On Solutions (2021)
• AuthCompanion - Effortless, open source, token-based user management server - well suited for microservices and static website projects.
• Behind GitHub’s new authentication token formats
  • contrary to currently popular JWT they use custom tokens
  • tokens are prefixed to make them easily distinguishable
  • added checksum to the tokens to make them easily recognizable
• Firebase Auth
• Ask HN: How do you currently solve authentication? (2020)
• JWT is Awesome: Here’s Why (2020) (HN)
• Learn Authentication The Hard Way (2020)
• Ask HN: What are problems with implementing authentication and authorization? (2020)
• Verifiable Credentials Data Model - Expressing verifiable information on the Web. (Code)
• Authelia - Single Sign-On Multi-Factor portal for web apps.
• DID - Identity Provider, that authenticates users by verifying access to either an email address or securely stored private key.
• WebAuthn Awesome - Curated list of awesome WebAuthn/FIDO2 resources.
• Just-for-me Authentication (2020)
• Feather - Lightweight identity platform for adding flexible user authentication and authorization flows to your apps.
• Password authentication for web and mobile apps
• Authentication on the Client Side the Right Way: Cookies vs. Local Storage (2019) (Reddit)
• JSON Web Token (JWT) RFC (Lobsters)
• Zero-knowledge Auth
• AppAuth - iOS and macOS SDK for communicating with OAuth 2.0 and OpenID Connect providers.
• Simple Auth Setup for Your React App (2020)
• Magic Link - Drop passwords. Use magic links.
• User authentication with passwords, What’s SRP? (2020)
• JustAuthenticateMe - Passwordless email-based authentication for your web app.
• loginsrv - Standalone minimalistic login server providing a JWT login for multiple login backends.
• Designing an Authentication System: a Dialogue in Four Scenes (1988) (HN)
• Okta Identity Cloud - Gives you one trusted platform to secure every identity in your organization, including your workforce and customers. (Okta Developer Platform)
• Building a Secure Signed JWT (2020)
• Keycloak - Open Source Identity and Access Management. (Go package)
• TokenCLI - Command line utility for interacting with OAuth2 infrastructure to generate tokens.
• Decentralized Identifiers (DIDs) - New type of identifier that enables verifiable, decentralized digital identity.
• jwt - Go implementation of JSON Web Tokens (JWT) that helps you avoid common security mistakes.
• HN: Pioneers of web cryptography on the future of authentication (2020)
• openidconnect-rs - OpenID Connect Library for Rust.
• JavaScript Authentication & Authorization Book/Course
• ASGI middleware that authenticates users against GitHub
• JSON Web Token Docs Introduction
• Auth Boss - Learn about different authentication methodologies on the web.
• JWT auth visualized
• Simple Auth with Magic.link and Next.js (2020)
• jwt.ms - Decode auth tokens.
• Platform authenticators for Web Authentication in Safari 14 (2020)
• Why we won’t be supporting Sign in with Apple (2020) (HN)
• AuthGuardian by OneGraph - Secure your GraphQL API.
• Pass - Identity app for fintech applications.
• Note on Auth
• How does Single Sign-On work?
• The Future of Online Identity is Decentralized (2020) (Lobsters) (HN)
• Best practices for password hashing and storage
• Xkit - Build OAuth integrations in minutes. (HN)
• Galileo’s Proposed Authentication Algorithm (2020)
• Let’s build the GitHub authorization model (2020)
• oso - Open source policy engine for authorization that’s embedded in your application. (Code) (GitHub)
• I Actively Discourage Online Tooling Like Jwt.io and Online JSON Validators (2020) (Lobsters) (HN)
• The different kinds of authentication protocols
• What’s in a JWT (Json Web Token)? (2020)
• Gazepass - Passwordless Authentication API.
• dex - Federated OpenID Connect provider.
• Aperture - HTTP 402 Lightning Service Authentication Token Reverse Proxy.
• Kerbrute - Quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication.
• Authenticator - Generates 2-Step Verification codes in your browser.
• WebAuthn.io - Demo of the WebAuthn specification. (Code)
• [Face ID and Touch ID for the Web (2020)]https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/() (HN)
• Portier - Email-based, passwordless authentication service. (Code)
• useAuth - Simplest way to add authentication to your React app.
• Consent Management: What You Need to Understand (2020)
• JWT authorization in a microservices gateway (2020)
• ORY Kratos - Cloud native Identity and User Management System. No longer necessary to implement a User Login process.
• SSSD - Daemon to manage identity, authentication and authorization for centrally-managed systems. (Docs)
• otplib - Time-based (TOTP) and HMAC-based (HOTP) One-Time Password library. (Web)
• SuperTokens - Open core alternative to proprietary login providers like Auth0 or AWS Cognito. (Web)
• FastAuth - Simple authentication server that can also be used for local development with reasonable defaults to kickstart the local development.
• Web Authentication Methods Compared
• About authentication methods (2020) (HN)
• Steam’s login method is kinda interesting (2021) (Lobsters) (HN)
• passport-magic-login - Passwordless authentication with magic links for Passport.js.
• Learn JWT by reverse engineering
• Userbase - Auth and E2E encrypted storage in a few lines of code. (HN) (HN 2) (Code)
• Authentication and Authorisation 101 (2021)
• A Primer on JSON Web Tokens (2021)
• github/webauthn-json - Small WebAuthn API wrapper that translates to/from pure JSON using base64url.
• Clerk - All of user management as-a-service, not just authentication. (HN) (Tweet)
• Persona - Identity infrastructure for any business.
• JWT in Go
• Twingate – Building the foundation for identity-first network security (2021) (HN)
• GoTrue - Small open-source API written in Go, that can act as a self-standing API service for handling user registration and authentication for JAM projects.
• FusionAuth - Authentication and Authorization built for devs.
• Vercel Basic Auth - How to add Basic Authentication to a Vercel deployment using various languages / frameworks.
• Authorization Academy
• Awesome IAM
• Are Magic Resources Outdated?
• The many problems with implementing Single Sign-On
• Enhance SMS-delivered code security with domain-bound codes
• Web Authentication: An API for accessing Public Key Credentials
• How Passwordless Works
• The Developer’s Guide to SSO - on SSO, SAML, and more
• Catch twenty two-factor - some tips on managing MFA
• Passwords are dead, long live PassKeys? How to log in, in 2023
• Identity-Native Infrastructure Access Management
  • How to authorize users using certificates.
• Towards a test-suite for TOTP codes

RFCs

• RFC 6238 - TOTP: Time-Based One-Time Password Algorithm

IAM

Resources

• Why Google Zanzibar Shines at Building Authorization
• Ory Keto - Open source implementation of “Zanzibar: Google’s Consistent, Global Authorization System”.
• Zanzibar: Google’s Consistent, Global Authorization System (2019) (Web)
• Google Zanzibar for the rest of us

Implementations

• Warrant - support of roles & permissions out of the box (they provide leaner API on top of the underlying ReBAC system), fairly new
• OpenFGA - backed by Auth0, custom DSL
• Ory Keto - exists for the longest, offered as enterprise product by Ory, typescript based configuration language that is easy to read/write/reason about
• Permify
• Aserto

Products and solutions

• AuthKit - login solution in a box