Auth in Depth: From Passwords to Zero Trust
A complete 16-chapter journey from authentication fundamentals to zero trust architecture — covering JWT, OAuth 2.0, OIDC, RBAC, ABAC, MFA, and real-world security patterns.
16 Chapters
- 01Authentication vs. Authorization — The Twin Pillars of Security
- 02Password Security — Beyond the Character Rules
- 03Session-Based Authentication — The Power of State
- 04JWT & Token-Based Auth — Scaling with Statelessness
- 05Access & Refresh Tokens — Balancing UX and Security
- 06OAuth 2.0 — Delegating Access to Third Parties the Right Way
- 07OpenID Connect — The Identity Layer on Top of OAuth 2.0
- 08Social Login & SSO — One Account, Login Everywhere
- 09SAML vs OAuth/OIDC — When to Use What in Enterprise
- 10MFA / 2FA — Adding a Layer of Protection Beyond Passwords
- 11RBAC — Role-Based Access Control
- 12ABAC & ReBAC — Attribute and Relationship-Based Access Control
- 13Policy Engines (OPA, Casbin, Cedar) — Decoupling Authorization Logic from Your Code
- 14Auth Security Pitfalls — CSRF, XSS, Token Leaking, and How to Prevent Them
- 15Rate Limiting, Brute Force Protection & Account Lockout
- 16Zero Trust Architecture — Trust Nobody, Verify Everything
Overview
Auth is one of the most critical — and most misunderstood — areas of any product. Done wrong, it becomes the entry point for every major breach.
Auth in Depth is a 16-chapter series focused on the security of authentication and authorization systems: how identity is established, how access is controlled, and how auth-specific threats are mitigated in production.
Series Structure
Part I — Foundations
| # | Chapter |
|---|---|
| 1 | Authentication vs. Authorization — The Twin Pillars of Security |
| 2 | Password Security — Beyond the Character Rules |
| 3 | Session-Based Authentication — The Power of State |
Part II — Modern Authentication
| # | Chapter |
|---|---|
| 4 | JWT & Token-Based Auth — Scaling with Statelessness |
| 5 | Access & Refresh Tokens — Balancing UX and Security |
| 6 | OAuth 2.0 — Delegating Access to Third Parties the Right Way |
| 7 | OpenID Connect — The Identity Layer on Top of OAuth 2.0 |
Part III — Enterprise & Real-world
| # | Chapter |
|---|---|
| 8 | Social Login & SSO — One Account, Login Everywhere |
| 9 | SAML vs OAuth/OIDC — When to Use What in Enterprise |
| 10 | MFA / 2FA — Adding a Layer of Protection Beyond Passwords |
Part IV — Authorization Deep Dive
| # | Chapter |
|---|---|
| 11 | RBAC — Role-Based Access Control |
| 12 | ABAC & ReBAC — Attribute and Relationship-Based Access Control |
| 13 | Policy Engines (OPA, Casbin, Cedar) — Decoupling Authorization Logic from Your Code |
Part V — Security & Production
| # | Chapter |
|---|---|
| 14 | Auth Security Pitfalls — CSRF, XSS, Token Leaking, and How to Prevent Them |
| 15 | Rate Limiting, Brute Force Protection & Account Lockout |
| 16 | Zero Trust Architecture — Trust Nobody, Verify Everything |
Who This Is For
Engineers building web applications, APIs, or distributed systems who want a clear, structured understanding of modern auth — from first principles through enterprise-grade patterns.
Start with Chapter 1: Authentication vs. Authorization — the two concepts most often confused, and most dangerous when they are.