Part 4: Modern Authentication and Identity
In Part 3, you learned how to establish trust between systems using certificates and TLS. That gave you the foundation for secure communication. But trust at the system level isn’t enough. Applications also need to know who the user is and what they’re allowed to do. This is where authentication and identity protocols come into play.
Part 4 is all about people and services proving who they are. We’ll explore the standards and technologies that power modern authentication — from JSON-based formats like JWS, JWE, and JWT (chapter 11), to OAuth2 and OpenID Connect, which enable Single Sign-On (chapter 12) and advanced identity management (chapter 13). You’ll then see how passwordless login options like magic links and one-time passwords (chapter 14) work, before moving on to WebAuthn (chapter 15), which brings hardware tokens, biometrics, and phishing-resistant authentication into the mainstream.
Throughout this part, you’ll see how Acme Inc. applies these protocols in real scenarios: securing APIs with tokens, simplifying user logins with an identity provider, and protecting accounts with stronger authentication methods. You’ll also learn about the trade-offs — why some flows are safe in theory but risky in practice, and how to implement best practices to avoid common pitfalls.