Identity Auth
57 items tagged with "identity-auth"
Best Practices3
Secrets Management Best Practices
Practices for storing, rotating, and accessing credentials and keys securely, keeping them out of source code and limiting their exposure.
Principle of Least Privilege
A security principle that grants every user, service, and process only the minimum access required to perform its function, and no more.
OAuth 2.0 and OpenID Connect
OAuth 2.0 delegates authorization via access tokens; OpenID Connect adds an identity layer for authentication. Together they secure API access and single sign-on.
Patterns5
Valet Key
Issue a client a token granting scoped, time-limited direct access to a resource, offloading data transfer from the application.
Gatekeeper
Protect services by brokering all client requests through a dedicated host that validates and sanitizes them before forwarding.
Federated Identity
Delegate authentication to an external identity provider so applications trust tokens rather than managing credentials themselves.
Principle of Least Privilege
Grants every user, process, and service only the minimum permissions needed for its task, limiting the blast radius of compromise or error.
Secrets Rotation
Regularly replacing credentials, keys, and tokens, ideally automatically, to limit the time window in which a leaked or compromised secret is useful.
Anti-Patterns4
Plaintext Password Storage
Storing user passwords as readable text or with reversible/fast encoding, so a single database breach exposes every credential.
Shared Admin Accounts
Multiple people using one privileged login (root, admin, a shared service account), destroying accountability and making credential rotation and offboarding impossible.
No MFA on Privileged Access
Protecting administrator, root, and high-value accounts with a single password, so one phishing or credential leak yields full takeover.
JWT none Algorithm Acceptance
Accepting JSON Web Tokens with alg:none or trusting the token's own algorithm header, letting attackers forge tokens with no valid signature.
Tutorials5
How to write least-privilege IAM roles on AWS
Create tightly scoped AWS IAM roles and policies that grant only the permissions a workload actually needs.
How to manage secrets with Azure Key Vault
Store secrets, keys, and certificates in Azure Key Vault and access them from apps using managed identity.
How to Implement OAuth2 and OIDC Login
Add Authorization Code flow with PKCE to a web app using an OIDC provider, then validate the ID token and create a session.
How to Secure an API with JWT Authentication
Issue signed JWT access tokens, validate them on every request, and refresh them safely without leaking long-lived credentials.
How to Implement Role-Based Access Control
Model roles and permissions, enforce them with middleware, and centralize authorization checks so access rules stay consistent.
Blueprints3
Perimeter Security to Zero Trust Blueprint
Move from VPN and network-perimeter trust to a zero-trust architecture with identity-aware access, microsegmentation, and continuous verification.
Password Auth to OIDC SSO Blueprint
Replace per-app password authentication with centralized OpenID Connect single sign-on, MFA, and a single identity provider.
Standing SSH Access to Just-in-Time Access Blueprint
Replace standing SSH keys and shared bastion logins with short-lived, identity-based just-in-time access, certificates, and full session audit.
Reference Architectures4
Zero-Trust Network Architecture on AWS
Identity-aware, least-privilege access design that authenticates and authorizes every request regardless of network location.
SSO and Identity Federation with OIDC and SAML
Centralized single sign-on using Entra ID as identity provider, federating apps over OpenID Connect and SAML.
Customer Identity and Access Management Platform
Scalable CIAM design on AWS for user sign-up, social login, and token-based authorization for consumer applications.
Privileged Access Management on AWS
Just-in-time, audited access to production with short-lived elevated credentials and session recording.
Playbooks3
Zero-Trust Architecture Rollout Playbook
A phased program to adopt zero-trust security: verify every request, enforce least privilege, and remove implicit network trust.
Secrets Management Program Playbook
A program to eliminate hardcoded secrets and adopt centralized, rotated, least-privilege secret storage with dynamic and short-lived credentials.
SSO and Identity Migration Playbook
A program to consolidate authentication onto a single identity provider with SSO, SCIM provisioning, and OIDC across applications.
Checklists5
Secrets Management Audit Checklist
Audit how an organization stores, distributes, rotates, and revokes secrets such as keys, tokens, and credentials.
Zero-Trust Readiness Checklist
Assess readiness to adopt a zero-trust architecture where no user, device, or network is implicitly trusted.
SSO Migration Checklist
Plan and execute a migration to centralized single sign-on with minimal disruption to users and applications.
Cloud Landing Zone Security Checklist
Verify a multi-account cloud landing zone enforces identity, network, guardrails, and logging before workloads are onboarded.
API Security (OAuth/OIDC) Review Checklist
Security review items for an API protected by OAuth 2.0 and OpenID Connect, covering tokens, flows, scopes, and validation.
Comparisons2
OAuth 2.0 vs SAML
OAuth 2.0 is a token-based authorization framework for APIs and apps; SAML is an XML-based standard for enterprise single sign-on and federation.
JWT vs Server Sessions
JWTs are self-contained, stateless tokens; server sessions store state server-side with an opaque ID. Both manage authenticated user state.
FAQs10
What is the difference between OAuth 2.0 and OpenID Connect?
OAuth 2.0 is an authorization framework: it lets an application obtain delegated access to resources on a user's behalf without sharing the user's cre...
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format that carries claims as a base64url-encoded header, payload, and signature separated by dots...
Sessions vs tokens: what is the difference for authentication?
Session-based authentication stores state on the server and gives the client an opaque session ID, usually in a cookie; the server looks up the sessio...
What is the difference between an access token and a refresh token?
An access token is a short-lived credential a client sends with each request to prove it is authorized to call an API, typically expiring in minutes. ...
What is an API key and how is it different from a token?
An API key is a static secret string that identifies and authenticates a calling application or project, usually passed in a header and tied to a set ...
What is zero trust security?
Zero trust is a security model that assumes no user, device, or network is inherently trustworthy, even inside the corporate perimeter. Every access r...
What is the principle of least privilege?
The principle of least privilege (PoLP) states that every user, process, or system should have only the minimum permissions required to perform its ta...
What is multi-factor authentication (MFA)?
Multi-factor authentication requires a user to present two or more independent proofs of identity from different categories: something you know (a pas...
What is the difference between OAuth 2.0 and OpenID Connect?
OAuth 2.0 is an authorization framework that lets an application obtain delegated, scoped access to a user's resources without sharing their password,...
What is the difference between RBAC and ABAC?
RBAC (role-based access control) grants permissions based on a user's assigned role, such as admin or editor, which is simple to manage and audit but ...
Glossaries12
Secret (Kubernetes)
A Kubernetes Secret is an object for storing and distributing small amounts of sensitive data, such as passwords, tokens, and keys, to pods with tighter handling than ordinary configuration.
Zero Trust
Zero trust is a security model that assumes no user, device, or network is inherently trustworthy and requires continuous verification of every access request, regardless of its origin.
Principle of Least Privilege
The principle of least privilege is a security practice that grants each user, process, or system only the minimum access rights needed to perform its task, and no more.
Asymmetric Encryption
Asymmetric encryption is a cryptographic method that uses a mathematically linked pair of keys, a public key and a private key, where data encrypted with one key can only be decrypted with the other.
Public Key Infrastructure (PKI)
Public key infrastructure is the system of certificate authorities, digital certificates, and policies used to issue, manage, and validate public keys, binding them to verified identities.
OAuth 2.0
OAuth 2.0 is an authorization framework that lets an application obtain limited access to a user's resources on another service without exposing the user's credentials, by using access tokens.
OpenID Connect (OIDC)
OpenID Connect is an authentication layer built on top of OAuth 2.0 that lets applications verify a user's identity and obtain basic profile information using an ID token.
JSON Web Token (JWT)
A JSON Web Token is a compact, URL-safe, digitally signed token that encodes claims as JSON, commonly used to transmit identity and authorization data between parties.
Multi-Factor Authentication (MFA)
Multi-factor authentication is a security method that requires two or more independent forms of verification, drawn from different categories, before granting access.
Single Sign-On (SSO)
Single sign-on is an authentication scheme that lets a user log in once and gain access to multiple independent applications without re-entering credentials for each.
Role-Based Access Control (RBAC)
Role-based access control is an access model that assigns permissions to roles rather than individuals, and grants users access by assigning them roles.
Attribute-Based Access Control (ABAC)
Attribute-based access control is an access model that grants or denies access by evaluating policies against attributes of the user, resource, action, and environment.