Learn IAM & security protocols by stepping through them

A thin identity layer on top of OAuth 2.0. Adds an ID token (a signed JWT) so the client learns *who* the user is, not just *what* it may access. The basis of modern 'Sign in with…' buttons.

Security Assertion Markup Language: an XML-based standard for browser single sign-on across security domains. A Service Provider delegates authentication to an Identity Provider, which returns a signed SAML assertion vouching for the user — the user's password never reaches the Service Provider.

A symmetric-key single sign-on protocol for networks. A trusted Key Distribution Center (KDC) issues time-limited, encrypted tickets so clients can prove their identity to services without ever resending the password over the wire.

The W3C Web Authentication API and its FIDO2 underpinnings. An authenticator creates an origin-bound public-key credential (a passkey) during a registration ceremony, then proves possession of the private key during an authentication ceremony — giving phishing-resistant login with no shared secret on the server to steal.

System for Cross-domain Identity Management: a REST+JSON standard for provisioning users and groups across domains. An identity source (the SCIM client — an IdP or HR system) pushes the joiner-mover-leaver lifecycle into an application (the SCIM service provider) through a fixed resource model exposed at /Users and /Groups, so accounts are created, updated, and deactivated automatically instead of by hand.

A delegation framework that lets a user grant a third-party app limited access to resources without sharing their password. The foundation OIDC builds on.

A standard for giving running workloads cryptographic identities without pre-provisioned secrets. SPIFFE defines the identity (a SPIFFE ID and its SVID document); SPIRE is the reference implementation that attests workloads and issues short-lived X.509 or JWT SVIDs for zero-trust mTLS.