Auth
- https://github.com/ory/keto - the first and most popular open source implementation of “Zanzibar: Google’s Consistent, Global Authorization System”
- Stop overloading JWTs with permission claims
- https://auth0.com/blog/on-the-nature-of-oauth2-scopes/
- SuperTokens - #OpenSource User Authentication
Auth0 Link to heading
Multi-tenancy Link to heading
Organizations Link to heading
- Understand How Auth0 Organizations Work
- Create Your First Organization
- Use Organization Names in Authentication API
Refresh Tokens Link to heading
- allow_offline_access
- If enabled, Auth0 will allow applications (SPAs) to ask for Refresh Tokens for this API (Servers).
- “You must enable offline access and request the offline access scope in the client SDK.” from https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-rotation
- useRefreshTokensFallback
JWT Link to heading
Registered Claims Link to heading
| Claim | Stands to | Type | Description |
|---|---|---|---|
iss | Issuer | case-sensitive string | who created and signed this token |
sub | Subject | case-sensitive string | whom the token refers to |
aud | Audience | array of case-sensitive strings | who or what the token is intended for |
exp | Expiration Time | number containing a NumericDate | |
nbf | Not Before | number containing a NumericDate | |
iat | Issued At | number containing a NumericDate | |
jti | JWT ID | case-sensitive string |
OAuth2 Link to heading
- IETF - OAuth 2.0 Security Best Current Practice
- IETF - OAuth 2.0 for Browser-Based Apps
- IETF - RFC 6749 - The OAuth 2.0 Authorization Framework
- The False Identifier Anti-pattern - use of claims other than subject (
sub) to uniquely identify an user - https://oauth.net/2/
- https://swagger.io/docs/specification/authentication/oauth2/
OpenID Connect Link to heading
OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0.
- https://openid.net/developers/how-connect-works/
- https://swagger.io/docs/specification/authentication/openid-connect-discovery/