The Internet was born believing that everybody that would use it would do so in good faith and without malicious intent. That assumption has long been proven false, and so as a result, we build systems that require authentication (the ability for a user to prove who they are) and authorization (the ability to know what actions a user can do).

But "Auth", the portmanteau of authentication and authorization, is a complex subject that overwhelms and intimidates developers. The space is rife with pitfalls and failure, because most developers are never taught how to create secure systems, and have to stumble along blindly as a result. And now, the tech is rampant: Kerberos, OAuth, OpenID, SSO, JWTs, PKCE, and more. It's an alphabet soup that's so jumbled, it's easy to assume the subject to be one of deep secrets and dark arts. Fundamentally, however, the concepts of authentication and authorization are pretty simple; the complexity comes from countermeasures to attacks malicious folks use to try and "slide into" places where they don't belong amd do what they ain't supposed to do.

In this presentation, we'll start from basic principles of identity, and walk through the need--and the solutions that arose from that need--to arrive at a good understanding of how modern auth (authentication-and-authorization) systems work.

Slides: HTML | PPTX

Published on 02 June 2023