{"id":965,"date":"2025-09-16T07:27:02","date_gmt":"2025-09-16T07:27:02","guid":{"rendered":"https:\/\/www.rajeshkumar.xyz\/blog\/?p=965"},"modified":"2025-09-16T07:30:48","modified_gmt":"2025-09-16T07:30:48","slug":"identity-oauth2-oidc-and-beyond-a-developers-handbook","status":"publish","type":"post","link":"https:\/\/www.rajeshkumar.xyz\/blog\/identity-oauth2-oidc-and-beyond-a-developers-handbook\/","title":{"rendered":"Identity, OAuth2, OIDC, and Beyond: A Developer\u2019s Handbook"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\n\n\n\n

Tutorial: The Complete Guide to Modern Identity and Access Management<\/h1>\n\n\n\n

1. Identity \u2014 the \u201cWho\u201d<\/strong><\/h2>\n\n\n\n

Identity is the digital representation of a person, service, or device.<\/p>\n\n\n\n

    \n
  • Example<\/strong>: \u201cRajesh with email rajesh@example.com<\/code> and employee ID 1234<\/code>.\u201d<\/li>\n\n\n\n
  • Why it matters<\/strong>: Every other IAM concept builds on knowing who<\/em> is accessing resources.<\/li>\n<\/ul>\n\n\n\n
    \n\n\n\n

    2. Authentication \u2014 Prove the Who<\/strong><\/h2>\n\n\n\n

    Authentication verifies identity.<\/p>\n\n\n\n

      \n
    • Methods<\/strong>: Passwords, OTP, biometrics, WebAuthn\/Passkeys.<\/li>\n\n\n\n
    • Example<\/strong>: Logging into Gmail using a password + OTP.<\/li>\n\n\n\n
    • Best Practice<\/strong>: Use MFA<\/strong> (multi-factor authentication) for higher security.<\/li>\n<\/ul>\n\n\n\n
      \n\n\n\n
      \"\"<\/figure>\n\n\n\n

      3. Authorization \u2014 What They Can Do<\/strong><\/h2>\n\n\n\n

      Authorization determines permissions after login<\/strong>.<\/p>\n\n\n\n

        \n
      • Models<\/strong>:\n
          \n
        • RBAC<\/strong> (Role-based): Admin, User, Guest.<\/li>\n\n\n\n
        • ABAC<\/strong> (Attribute-based): Department = HR, Location = Tokyo.<\/li>\n\n\n\n
        • PBAC<\/strong> (Policy-based): If role=Manager<\/code> and location=HQ<\/code>, then allow.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
        • Example<\/strong>: A doctor can view patient records; a receptionist can only schedule appointments.<\/li>\n<\/ul>\n\n\n\n
          \n\n\n\n

          4. OAuth 2.0 \u2014 Delegated Authorization Framework<\/strong><\/h2>\n\n\n\n

          OAuth2 lets apps access resources on a user\u2019s behalf.<\/p>\n\n\n\n

            \n
          • Tokens<\/strong>: Access Token, Refresh Token.<\/li>\n\n\n\n
          • Example<\/strong>: Canva asks permission to access your Google Drive photos. You approve \u2192 Canva gets an access token<\/strong>.<\/li>\n\n\n\n
          • Note<\/strong>: OAuth2 \u2260 Authentication. It\u2019s mainly about authorization<\/strong>.<\/li>\n<\/ul>\n\n\n\n
            \n\n\n\n

            5. OIDC (OpenID Connect) \u2014 Authentication on Top of OAuth2<\/strong><\/h2>\n\n\n\n

            OIDC extends OAuth2 to handle authentication + identity<\/strong>.<\/p>\n\n\n\n

              \n
            • Tokens<\/strong>:\n
                \n
              • ID Token<\/strong> \u2192 JWT containing user info.<\/li>\n\n\n\n
              • Access Token<\/strong> \u2192 permissions for APIs.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
              • Example<\/strong>: \u201cSign in with Google\u201d \u2192 OIDC gives the website Rajesh\u2019s identity (email, name).<\/li>\n<\/ul>\n\n\n\n
                \n\n\n\n

                6. Tokens \u2014 The Currency of Access<\/strong><\/h2>\n\n\n\n

                Tokens are proof of identity and permissions.<\/p>\n\n\n\n

                  \n
                • Types<\/strong>:\n
                    \n
                  • Access Token \u2192 access APIs.<\/li>\n\n\n\n
                  • Refresh Token \u2192 get new tokens.<\/li>\n\n\n\n
                  • ID Token \u2192 prove who the user is.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                  • Example<\/strong>: Access Token lets Slack read your calendar data after you log in via Google.<\/li>\n<\/ul>\n\n\n\n
                    \n\n\n\n

                    7. JWT (JSON Web Token)<\/strong><\/h2>\n\n\n\n

                    JWT is the format most tokens use.<\/p>\n\n\n\n

                      \n
                    • Structure<\/strong>: Header.Payload.Signature<\/code>.<\/li>\n\n\n\n
                    • Claims<\/strong> inside = user info, expiry, roles.<\/li>\n\n\n\n
                    • Example<\/strong>: { \"sub\": \"1234567890\", \"name\": \"Rajesh\", \"role\": \"Admin\", \"exp\": 1712345678 }<\/code><\/li>\n<\/ul>\n\n\n\n
                      \n\n\n\n

                      8. Claims \u2014 Identity Details in Tokens<\/strong><\/h2>\n\n\n\n

                      Claims are facts about the user\/system embedded in tokens.<\/p>\n\n\n\n

                        \n
                      • Example<\/strong>: sub=1234<\/code>, email=rajesh@example.com<\/code>, role=Admin<\/code>.<\/li>\n\n\n\n
                      • Use case<\/strong>: APIs read claims to enforce role-based authorization.<\/li>\n<\/ul>\n\n\n\n
                        \n\n\n\n

                        9. Identity Providers (IdP)<\/strong><\/h2>\n\n\n\n

                        IdPs authenticate users and issue tokens.<\/p>\n\n\n\n

                          \n
                        • Examples<\/strong>: Google, Azure AD, Okta, Auth0, Keycloak.<\/li>\n\n\n\n
                        • Role<\/strong>: Trusted source of authentication.<\/li>\n\n\n\n
                        • Example<\/strong>: You log in to Zoom with Google \u2014 Google is the IdP.<\/li>\n<\/ul>\n\n\n\n
                          \n\n\n\n

                          10. IdentityServer<\/strong><\/h2>\n\n\n\n

                          An IdP implementation for .NET<\/strong> apps.<\/p>\n\n\n\n

                            \n
                          • Example<\/strong>: A company builds its own login system using IdentityServer instead of outsourcing to Google or Okta.<\/li>\n<\/ul>\n\n\n\n
                            \n\n\n\n

                            11. SSO (Single Sign-On)<\/strong><\/h2>\n\n\n\n

                            Login once \u2192 access multiple apps.<\/p>\n\n\n\n

                              \n
                            • Example<\/strong>: Logging into Google once gives you access to Gmail, Drive, YouTube.<\/li>\n\n\n\n
                            • Enabled by<\/strong>: OIDC, tokens, centralized IdPs.<\/li>\n<\/ul>\n\n\n\n
                              \n\n\n\n

                              12. Federation \u2014 Trust Across Domains<\/strong><\/h2>\n\n\n\n

                              Federation lets one identity system trust another.<\/p>\n\n\n\n

                                \n
                              • Standards<\/strong>: OIDC (modern), SAML (legacy, XML-based).<\/li>\n\n\n\n
                              • Example<\/strong>: Spotify lets you log in with Facebook \u2192 Facebook acts as the trusted IdP.<\/li>\n<\/ul>\n\n\n\n
                                \n\n\n\n

                                13. SCIM (System for Cross-domain Identity Management)<\/strong><\/h2>\n\n\n\n

                                Handles user provisioning and de-provisioning<\/strong>.<\/p>\n\n\n\n

                                  \n
                                • Example<\/strong>: When a new employee joins, SCIM auto-creates accounts in Slack, GitHub, Google Workspace.<\/li>\n<\/ul>\n\n\n\n
                                  \n\n\n\n

                                  14. PKCE & Session Management \u2014 Extra Security Layers<\/strong><\/h2>\n\n\n\n
                                    \n
                                  • PKCE<\/strong>: Secures OAuth2 flows in mobile\/web apps.<\/li>\n\n\n\n
                                  • Session Management<\/strong>: Handles login state, re-authentication, and global logout.<\/li>\n\n\n\n
                                  • Example<\/strong>: Revoking your Google session logs you out of all Google apps.<\/li>\n<\/ul>\n\n\n\n
                                    \n\n\n\n

                                    15. Consent & Scopes \u2014 Granular Access Rights<\/strong><\/h2>\n\n\n\n

                                    Scopes define what an app can do.<\/p>\n\n\n\n

                                      \n
                                    • Example<\/strong>:\n
                                        \n
                                      • calendar.read<\/code> \u2192 read-only calendar.<\/li>\n\n\n\n
                                      • calendar.write<\/code> \u2192 modify calendar.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                                      • Consent screen<\/strong>: User approves scopes during OAuth2 login.<\/li>\n<\/ul>\n\n\n\n
                                        \n\n\n\n

                                        16. Introspection & Revocation<\/strong><\/h2>\n\n\n\n
                                          \n
                                        • Introspection endpoint<\/strong> \u2192 APIs check if a token is still valid.<\/li>\n\n\n\n
                                        • Revocation endpoint<\/strong> \u2192 Users or admins revoke access.<\/li>\n\n\n\n
                                        • Example<\/strong>: You revoke Canva\u2019s access to Google Drive \u2192 Canva\u2019s tokens are invalidated.<\/li>\n<\/ul>\n\n\n\n
                                          \n\n\n\n

                                          17. API Gateway \/ Policy Enforcement<\/strong><\/h2>\n\n\n\n

                                          API gateways enforce token validation, scopes, and claims<\/strong>.<\/p>\n\n\n\n

                                            \n
                                          • Examples<\/strong>: Kong, Apigee, AWS API Gateway, Envoy.<\/li>\n\n\n\n
                                          • Example<\/strong>: An API gateway checks if Rajesh\u2019s access token includes role=Admin<\/code> before allowing an update.<\/li>\n<\/ul>\n\n\n\n
                                            \n\n\n\n

                                            18. Zero Trust \u2014 Continuous Authorization<\/strong><\/h2>\n\n\n\n
                                              \n
                                            • Principle<\/strong>: \u201cNever trust, always verify.\u201d<\/li>\n\n\n\n
                                            • Access is continuously re-validated based on identity, device, location, risk.<\/li>\n\n\n\n
                                            • Example<\/strong>: Even after login, your bank re-checks identity if you try a large transfer.<\/li>\n<\/ul>\n\n\n\n
                                              \n\n\n\n

                                              \u2705 Summary in One Line<\/h1>\n\n\n\n

                                              Identity \u2192 Authentication \u2192 Authorization \u2192 OAuth2 \u2192 OIDC \u2192 Tokens (JWT, claims) \u2192 IdPs (Google, IdentityServer) \u2192 SSO\/Federation \u2192 SCIM \u2192 PKCE & Sessions \u2192 Scopes\/Consent \u2192 Introspection \u2192 API Gateways \u2192 Zero Trust<\/strong><\/p>\n\n\n\n

                                              \n\n\n\n

                                              <\/p>\n","protected":false},"excerpt":{"rendered":"

                                              Tutorial: The Complete Guide to Modern Identity and Access Management 1. Identity \u2014 the \u201cWho\u201d Identity is the digital representation […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-965","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.rajeshkumar.xyz\/blog\/wp-json\/wp\/v2\/posts\/965","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rajeshkumar.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rajeshkumar.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rajeshkumar.xyz\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rajeshkumar.xyz\/blog\/wp-json\/wp\/v2\/comments?post=965"}],"version-history":[{"count":2,"href":"https:\/\/www.rajeshkumar.xyz\/blog\/wp-json\/wp\/v2\/posts\/965\/revisions"}],"predecessor-version":[{"id":971,"href":"https:\/\/www.rajeshkumar.xyz\/blog\/wp-json\/wp\/v2\/posts\/965\/revisions\/971"}],"wp:attachment":[{"href":"https:\/\/www.rajeshkumar.xyz\/blog\/wp-json\/wp\/v2\/media?parent=965"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rajeshkumar.xyz\/blog\/wp-json\/wp\/v2\/categories?post=965"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rajeshkumar.xyz\/blog\/wp-json\/wp\/v2\/tags?post=965"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}