Consent screens can be an attack surface. Learn how attackers abuse OAuth grants and how to harden scopes, publisher verification, and monitoring.
Why this matters
IAM has shifted from static controls (users + groups) to dynamic, signal-driven decisioning. This topic is modern because it focuses on:
- short-lived credentials and continuous verification
- delegated authorization (least privilege across services)
- non-human identities (workloads + automation)
- real-world attack paths and operational controls
Key concepts
- Actors: who is making the request (human, workload, agent).
- Credentials: what proves identity (passkeys, certs, tokens).
- Policy: what is allowed (roles, attributes, relationships).
- Signals: what can change the decision (risk, device posture, location).
- Enforcement: where access is actually enforced (gateway, app, API, data layer).
In practice
- Start with a simple “happy path” flow.
- Add the failure modes (expired token, revoked session, missing entitlement).
- Add observability: correlation IDs, audit events, and alerting.
Common pitfalls
- Treating authentication as the whole problem (authorization and session control are usually the hard parts).
- Long-lived tokens/keys for automation.
- No ownership/approval path for high-risk access.
- No story for incident response (how do you remove access fast?).
Where to go next
- Specifications: /category/specifications
- Identity for AI: /category/identity-for-ai
- Identity Security: /category/identity-security
- PAM: /category/pam
