Specifications
The IAM world is built on standards. This category covers the key protocols and specs you’ll run into in enterprise identity: OAuth and OIDC for modern auth, SAML for legacy SSO, SCIM for provisioning, WebAuthn for phishing-resistant auth, and emerging protocols like MCP for AI integrations.
Specifications
The IAM world is built on standards. This category covers the key protocols and specs you’ll run into in enterprise identity: OAuth and OIDC for modern auth, SAML for legacy SSO, SCIM for provisioning, WebAuthn for phishing-resistant auth, and emerging protocols like MCP for AI integrations.
OAuth 2.0: Roles, Flows, and Tokens
Learn the OAuth actors (client, resource owner, authorization server), the main grants, and how access tokens are actually used.
OAuth 2.1 + Best Practices (PKCE, Rotation, and Threat Model)
What OAuth 2.1 changes (and why), plus practical hardening: PKCE, refresh token rotation, and safe redirect URIs.
OpenID Connect (OIDC): Identity Layer on OAuth
How OIDC adds authentication and user identity to OAuth: ID tokens, discovery, scopes, and claims.
SAML 2.0: Assertions, Trust, and Enterprise SSO
A practical SAML mental model: IdP/SP roles, assertions, signatures, and why SAML is still everywhere.
SCIM 2.0: Provisioning, Deprovisioning, and Group Sync
How SCIM models users and groups, what operations matter in production, and why idempotency is critical.
WebAuthn, FIDO2, and Passkeys
Phishing-resistant authentication explained: public key credentials, ceremonies, attestation, and deployment realities.
JWT + JOSE (JWS/JWE/JWK): The Token Toolbox
What JWTs are (and aren’t), when to sign vs encrypt, key rotation with JWKs, and common validation mistakes.
FAPI (Financial-grade API): High-Security OAuth Profiles
OAuth profiles for high assurance: strict redirect rules, signed requests, mutual TLS, and why it matters outside banking.
DPoP and Sender-Constrained Tokens
Reduce token replay by binding tokens to a client key (DPoP) or TLS channel, and understand tradeoffs.
Model Context Protocol (MCP): Identity for AI Tooling
A practical intro to MCP, how it connects tools to models, and the identity/authorization questions you must answer.
OAuth Token Exchange & On-Behalf-Of (OBO) Flows
How services call other services safely using delegated tokens (OBO) and token exchange.
Single Logout (SLO): Front-Channel vs Back-Channel
How single logout works, why it’s hard in practice, and how front-channel and back-channel approaches differ.
OAuth Token Security: Revocation, Rotation, and Incident Response
Best practices for securing access/refresh tokens and responding when tokens are stolen.