Authorization
Understand how access decisions are made after authentication. Covers role-based access control (RBAC), attribute-based access control (ABAC), OAuth scopes, policy engines, and the principle of least privilege.
Key Terms
OAuth 2.0
TrendingAn authorization framework that enables third-party applications to obtain limited access to a web service on behalf of a resource owner, without exposing credentials.
Zero Trust
TrendingA security model based on the principle of 'never trust, always verify' that requires strict identity verification for every person and device attempting to access resources, regardless of network location.
Role-Based Access Control
RBAC
An access control model that assigns permissions to users based on their organizational roles, simplifying access management by grouping permissions into roles rather than assigning them individually.
Attribute-Based Access Control
ABAC
An access control model that evaluates access requests based on attributes of the user, resource, action, and environment, enabling fine-grained, context-aware authorization decisions.
API Security
The practices, patterns, and technologies used to protect application programming interfaces from unauthorized access, data breaches, and abuse, including authentication, authorization, rate limiting, and input validation.
OAuth Scopes
A mechanism in OAuth 2.0 that limits the access granted to a client application, defining specific permissions the client can request and the resource owner can approve.
Authorization Code Flow
An OAuth 2.0 grant type where the client receives an authorization code from the authorization server and exchanges it for access and refresh tokens via a back-channel request, providing the most secure flow for server-side applications.
Proof Key for Code Exchange
PKCE
An extension to the OAuth 2.0 Authorization Code flow that protects against authorization code interception attacks by requiring the client to create a cryptographic code verifier and challenge.
Least Privilege
A security principle that grants users, applications, and systems only the minimum access rights and permissions necessary to perform their required tasks, reducing the attack surface and blast radius.
Recommended Books
Identity Management Design Guide with IBM Tivoli Identity Manager
Axel Buecker
Identity Management Design Guide with IBM Tivoli Identity Manager
Axel Buecker, Dr. Paul Ashley, Martin Borrett
This IBM Redbooks publication provides a comprehensive guide to designing and implementing identity management solutions using IBM Tivoli Identity Manager. It covers the full identity lifecycle from provisioning to deprovisioning, role-based access control, compliance reporting, and integration patterns with enterprise directories and applications.
OAuth 2 in Action
Justin Richer
OAuth 2 in Action
Justin Richer, Antonio Sanso
OAuth 2 in Action teaches you the practical use and deployment of OAuth 2 from the perspective of a client, authorization server, and resource server. You'll learn how to build an OAuth 2 ecosystem from scratch, understand the security implications, and implement it correctly in real-world scenarios.
Solving Identity Management in Modern Applications
Yvonne Wilson
Solving Identity Management in Modern Applications
Yvonne Wilson, Abhishek Hingnikar
This book provides a practical guide to identity management for modern applications. It covers the fundamentals of authentication, authorization, OAuth 2.0, OpenID Connect, and SAML 2.0, explaining when and how to use each. The second edition includes updated coverage of passwordless authentication, passkeys, and decentralized identity.
Zero Trust Networks
Evan Gilman
Zero Trust Networks
Evan Gilman, Doug Barth
Zero Trust Networks provides a thorough examination of the zero trust security model, where nothing inside or outside the network perimeter is trusted by default. The book covers network architecture, device trust, user trust, application trust, and how to build systems that verify every request regardless of source.
Keycloak - Identity and Access Management for Modern Applications
Stian Thorgersen
Keycloak - Identity and Access Management for Modern Applications
Stian Thorgersen, Pedro Igor Silva
This practical guide covers Keycloak from installation to advanced configuration. Learn how to secure applications using OpenID Connect and OAuth 2.0, configure social login, implement fine-grained authorization, manage users and roles, and integrate Keycloak with existing infrastructure.
OAuth 2.0 Simplified
Aaron Parecki
OAuth 2.0 Simplified
Aaron Parecki
OAuth 2.0 Simplified is a guide to building OAuth 2.0 servers and clients. Written by the author of oauth.com, it covers the OAuth 2.0 framework in clear, approachable language with practical examples for web and mobile applications.
Comparisons
RBAC vs ABAC: Choosing the Right Access Control Model
A detailed comparison of Role-Based Access Control and Attribute-Based Access Control. RBAC assigns permissions through predefined roles and is simpler to implement and audit, while ABAC evaluates dynamic attributes for fine-grained, context-aware decisions. This comparison covers scalability, complexity, compliance implications, and hybrid approaches that combine both models.
Read comparisonOAuth 2.0 vs OAuth 2.1: What's Changing and Why
An analysis of the evolution from OAuth 2.0 to OAuth 2.1. OAuth 2.1 consolidates security best practices into the core specification, mandating PKCE for all clients, deprecating the implicit grant and resource owner password credentials grant, and requiring exact redirect URI matching. Understand what changes are required and how to prepare for the transition.
Read comparison