Authentication MOC
Map of Content for authentication, identity, and federated login. The notes below are atomic — each covers one concept. Follow the wikilinks.
Foundations
- OAuth 2.0 — the authorization framework everything else builds on
- OpenID Connect — identity layer on top of OAuth 2.0
- ID Token — the JWT that proves who the user is
Flows
- Authorization Code Flow — the canonical OAuth flow used in social login
- PKCE — code-interception defense, mandatory in OAuth 2.1
Provider Implementations
- Sign in with Google — close-to-spec OIDC implementation
- Sign in with Apple — many deviations; gotchas worth knowing
Cross-cutting
- Social Login Security — CSRF, replay, token validation, common mistakes
Open Threads
- OAuth 2.1 consolidation — what changes
- Refresh token rotation strategies
- Native app flows (custom URL schemes, ASWebAuthenticationSession)
- SAML vs OIDC trade-offs
- Device authorization grant (RFC 8628)