Identity and Access Management (IAM) is the practice and tooling for defining who can do what on which resources within an organization or platform. It covers user and machine identities, group and role memberships, permission policies, and the audit trail of every authorization decision.
Core concepts
An authorization server is the OAuth 2.0 component that authenticates the resource owner, obtains their consent, and issues access tokens (and optionally refresh tokens and ID tokens) to clients. It is the central identity authority in any OAuth or OIDC system.
Core endpoints
A bearer token is a credential that grants the holder access to a resource simply by presenting the token, with no additional proof of identity. The defining property is that whoever holds the token may use it; there is no cryptographic binding between the token and the requester. How it is used The standard way to present a bearer token is the HTTP Authorization header: Authorization: Bearer .…
JSON Web Encryption (JWE) is the encryption counterpart to JWS. Where JWS proves integrity and authenticity but leaves the payload readable, JWE encrypts the payload so only the intended recipient can decrypt it. JWE is used when token contents must remain confidential in transit or at rest.
How it works
A compact JWE token has five Base64URL-encoded sections separated by dots:…
JSON Web Signature (JWS) is the cryptographic signing mechanism behind JWT. It defines how to produce and verify a signature over a JSON payload, using either symmetric (HMAC) or asymmetric (RSA, EC, EdDSA) keys.
How it works
A compact JWS has three Base64URL-encoded sections joined by dots: protected_header.payload.signature. The protected header declares the algorithm (alg) and optionally a…
A refresh token is a long-lived credential issued alongside a short-lived access token, used to obtain new access tokens without prompting the user to authenticate again. Refresh tokens trade convenience for risk: longer life means a wider compromise window, so they are stored more carefully and handled more strictly than access tokens.
How it works
When the user authorizes a client, the…
A session is the server-side state that represents an authenticated user across multiple requests. After a user signs in, the server creates a session record (storing the user ID, expiry, and any auxiliary state) and gives the client a session identifier, typically as an HTTP cookie. Each subsequent request includes the cookie, the server looks up the session, and the request is treated as…
SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). It is the dominant federation protocol in enterprise SSO, where employees authenticate once at a corporate IdP and access many third-party applications.
How it works
When a user attempts to access an SP, the SP…
PKCE (Proof Key for Code Exchange), pronounced "pixy", is an extension to the OAuth 2.0 Authorization Code flow that protects against authorization code interception attacks. It was originally designed for native mobile apps but is now the recommended default for all clients, including server-side and single-page applications.
How it works
The client generates a high-entropy random string…
Siempre soñé con que me pagaran por escribir open source. En enero de 2025, eso se hizo realidad. Esto es lo que aprendí en un año contribuyendo a authentik.
Secure Kubernetes with RBAC: grant minimal roles, avoid wildcards, audit policies, use admission controllers, and manage RBAC as code.