Ask HN: Any comprehensive courses on Auth?
I would like cover basic username/password auth, OAuth and Active Directory, security keys and everything in between. Would like to do this in a linear fashion, ie like a coursera course with practice problems.
92 comments
[ 3.8 ms ] story [ 163 ms ] threadhttps://www.lvh.io/posts/a-childs-garden-of-inter-service-au...
https://fly.io/blog/api-tokens-a-tedious-survey/
Have you looked at the specific RFC for token exchange? https://datatracker.ietf.org/doc/html/rfc8693
The concepts are solid, even if not every vendor supports it. FusionAuth doesn't, though we have an open issue for it: https://github.com/FusionAuth/fusionauth-issues/issues/1471
For example host your own instance of Zitadel, Authentik or whatever you find most appealing. Tinker a bit around with it. Then use that instance to authenticate yourself somewhere, i.e. another service where you can set up your own oauth provider. Take a look at the API requests, take a look the code of some OAuth implementation, for example in projects like Gitea, Nextcloud.
May not be it for everyone, though I really like learning by doing.
After completing each subtask, review and re-prioritize the task list
As you go along, more tasks will come up that need to be added to the list
Edit: perhaps the hard bit is coming up with a thing to achieve? There are some examples in the other comments, such as setup xxx to auth with yyy
it is. I don't need a full 2FA TOTP AD integrated SSO for my personal NextCloud instance.
The only way to understand it outside of a job task is to make it for my personal NC instance with usercount of one
When you want to learn something, you probably have some kind of goal in mind. Let's use this as an example: you want to learn about Auth, because you need to integrate OAuth in an application.
Sure, you could just read a tutorial that does exactly accomplish your task, and you are "done". The tutorial will probably tell you, call this API endpoint, use this library, do this and that. But now you only know how to implement OAuth in your application, which may be fine, or enough for you.
But with tinkering I mean, that you don't just learn/read about the requirements for your task, but go a bit 'beyond'. For example, you set up an Identity Provider (e.g. Authentik, Zitadel, Keycloak, ...) which is 'out of scope' for your task, but now you are on the other side of the API endpoint, you can play around with the settings, see what might change with the OAuth integration in your application. Treat it like a sandbox, it's not production, you can 'build' anything you like, you now have power over both sides of the application, stuff you would never be able to do, as you are only tasked to integrate that API endpoint in your application, but would never be tasked, to deploy that API, as this is 'not your job'. You'll maybe spot one or two things, which are good to know for your integration, which you would've never seen in a Tutorial. You'll already pick up some terms that will later pop up while debugging your integration.
Your goal may be something completely different from my example, but what I'm trying to say is. If you want to learn something, because you need/want to do $X don't only learn to do $X but also take a peek at what happens end-to-end, be curious, and maybe question why someone in a tutorial says do $A and doesn't even mention $B. You'll never know that $B exists, even if it may be the better solution to do $X in your case.
The problem with auth is that in practice, it's a lot of messy implementations of insufficient specifications requiring customizations/extensions. Reading a good explainer for say, OAuth, is a great thing to do. But won't be sufficient due to the myriad of weird quirks across various apps/vendors implementation of Auth <Approach>. Dealing with those quirks helped me more deeply understand the underlying concepts and the intent of the spec.
The messiness of the space really means that to be successful, developing some deeper intuitions about how everything fits together can be extremely helpful. And to do this, I think that just playing with auth - a lot - is one of the best ways to develop these intuitions.
I personally liked to spin up dirt simple Express.js apps, and then I'd wire up a sparse UI to the auth endpoints for some vendor, doing a barebones implementation of each thing needed to satisfy the auth protocol used. This really cemented the concepts for me and gave me a library of code that I could easily copy and tweak to experiment with something else.
I also read a lot of blog posts, watched a lot of YouTube videos, and went to an Auth conference or two.
https://auth0.com/learn
For example, user/pass is pretty simple on the surface:
1. app sends server user/password.
2. check if it matches the password in the database.
3. if so, respond with a token the app can send back that is associated with the user. if not, return with a 401.
The number of gotchas in this simple 3-step process is insane... here's some off the top of my head (not exhaustive):
- make sure the login form includes a CSRF token.
- do not store the password in plaintext in the db. or encrypted, probably. Since an attacker can possibly get the encryption key and then decrypt all your passwords. Use strong, slow hashes.
- rate limit your logins to prevent brute-forcing (slow hashes work great here)
- use constant-time comparisons to check if the password matches (e.g., hash_equals() in PHP), RTFM for whatever constant time check you are using or you will open yourself up to timing attacks.
That's the issue with security stuff, there are so many gotchas that anyone writing a course would open themselves up to getting sued (at least in the US) just for missing a gotcha or someone with Dunning-Kruger thinking they know everything and getting hacked ... it's too risky. You have to just get into the industry and learn it the hard way. At least that's how I learned everything I learned.
* on the client side, store the token as a secure https only cookie, as local storage is accessible by any module of your app, see supply-chain attacks.
* be extra careful with oAuth [1]
* for APIs, be strict with CORS [2]
[1] https://salt.security/blog/oh-auth-abusing-oauth-to-take-ove...
[2] https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
https://firebase.google.com/docs/auth/admin/manage-cookies
So here is what I'd refer to:
https://stackoverflow.com/questions/44133536/is-it-safe-to-s...
Regarding the Firebase, I see an open issue on this, so I guess we are not the only ones wondering :)
https://github.com/firebase/quickstart-nodejs/issues/194
I say that as someone who was on the "receiving end" of this kind of advice for years btw. I always thought that the things that are "better left to libraries" are really arcane and impossible to understand, which only lead to confusion and an inability to truly assess options. And it's really just a matter of semantics and framing. It would be perfectly reasonable to say "it's not complex as long as you keep this reasonably long list of gotchas in mind".
I was trying to say exactly what you are saying, and that is just get in there and learn. It isn't that complex to implement this stuff yourself if you need to. I've implemented this stuff myself dozens of times over the years... but I try to use a library before implementing it myself. Interestingly, over the years, I've reviewed libraries and found bugs in them. So, do read the code of the library you're using. Once you've reviewed a few of them (and implemented it yourself a few times), you kinda get an idea of what to look for.
The only thing I took issue with in your original comment was the "The number of gotchas in this simple 3-step process is insane" and the "there are so many gotchas" parts, as I think that this exact wording made me read the whole thing in a wrong way. I just wish we would tell people new to these kinds of topics "Don't fear this, this is normal, but totally manageable! It might seem like a minefield at first, but actually, there's a very well-trodden path through it. Here's (part of) the map." (Basically,you provided that map, which is great, and more than people genrally do, but the wording above made the map seem more daunting than I would wish.)
Also... don't rely on slow hashes themselves for rate limiting. They're slow because they eat up CPU. Rate limit the requests themselves or you're setting yourself up for denial of service fun. (And also, slow for your server does not necessarily mean prohibitively slow for an attacker's cluster if they do manage to dump your DB. Salting is useful and hopefully uniquely done per account for you by your hashing function, but it's also useful to just forbid very weak passwords entirely, and maybe go so far as to forbid even strong-looking ones that have shown up in data leaks.)
Edit: just honestly curious, how to implement it best.
However, user ids really only work for UUIDs as numbers are not random (and very easy to create rainbow tables for). If your users can’t change their user name or email address, you could use that as well.
All assuming database access but for some reason reading the database doesn't get me what I want. Perhaps this system is used to get a bearer token or session cookie for another system I can't access.
Sure, if someone swaps the stored fields of two accounts around, they can login as them, but I don't think I've ever seen attempts at preventing this with just hashing policy. Things are rather dire for you already if an attacker can swap the fields of two accounts. Is the attacker in this scenario an employee...? As you say, any additional data from the row that is used along with the main random salt can just be swapped around too. I guess it's possible that an attacker can only swap the hash field, but not anything else, or especially not something like the primary key they would need. Some older schema designs store the per account salt in a separate column from the hashed password, if only one field can be altered then I guess that would stop the given threat scenario too. (Edit: I guess another scenario the GP might be thinking of is that all other data is gated behind queries that filter on a user id, so an attacker partially modifying just the user login row to login "as them" doesn't actually help get access to anything else if they had to modify the user id.)
I think it's better here to focus on the broader scenario of "unauthorized access" which includes concerns like: attacker actually knows the user's password (from keylogger or whatever) and thus doesn't even need to alter anything in the DB or care about the hashing policy. It might seem like it's over in such a case, but many systems out there still manage to prevent many cases of such unauthorized access. e.g. with 2FA, or pseudo-2FA with things like "we don't recognize this device fingerprint/IP, so re-verify the account's email and/or phone and/or trusted recovery email" -- and even after that sometimes the service (Google) still might not let you in.
The best courses on the oidc/oauth and saml I have seen were the paid ones here: https://www.hackmanit.de/en/training/portfolio
On linkedinlearning this one was quite ok: https://www.linkedin.com/learning/web-security-oauth-and-ope...
Free ressources check: -https://aaronparecki.com/
-OAuth 2.0 and OpenID Connect (in plain English): https://m.youtube.com/watch?v=996OiexHze0
https://speakerdeck.com/nbarbettini/oauth-and-openid-connect...
-OAuth/OpenID by Nat Sakimura(chairman openid foundation) https://m.youtube.com/playlist?list=PLRUD_uiAYejRvQWkS2xjgFW...
For the active directory topic I don't know good ressources
Also follow the BCP that will remain in a draft state forever(at least for the near future): https://datatracker.ietf.org/doc/html/draft-ietf-oauth-secur...
The Nuts and Bolts of OAuth 2.0
https://www.udemy.com/course/oauth-2-simplified/
Advanced OAuth Security
https://www.udemy.com/course/advanced-oauth-security/
(I work for an auth vendor, so where I stand depends on where I sit, to some extent.)
I've seen and built apps that only needed built-in framework or language support. Or, best of all, don't use authentication at all.
I've also seen and/or built apps that needed advanced functionality to support business requirements. For example, if you want to:
* support slack-like workspace switching functionality for a single user
* but allow each organization to control the login methods they want to allow, including magic links, SAML, OIDC, LDAP, etc
* and make all APIs securely and scalably available to single page applications and mobile applications
* across hundreds of thousands or millions of users
You're going to want to use some of the more complicated standards. Basic auth ain't gonna help with that.
Typing your username and password into a 3P website so it could crawl your contacts was horrible anti-pattern.
I know it’s not a linear learning answer but hope it helps you perhaps later. Good luck!
for example if you need roles defined per client and you have a lot of clients. In Keycloak that would be realm(s) and it's not really designed to have a lot of those. In Keto world it's all a function of queries, which admittedly can also be a bit of a challenge if you need to cache it and be part of a fast response chain (like high speed API).
https://cheatsheetseries.owasp.org/cheatsheets/Authenticatio...
It would head well into advanced user/password schemes.
The problem is that even advanced mechanism like a SCRAM based authentication with additional 2fa are rather simple to grasp & implement, but really hard to get right / secure.
A lot of the evolution is rather an evolution of attacks and issues, leading to new schemes. OWASP is thus pretty relevant, too.
but useful stuff:
certified ethical hacker course can give you a perpetrator's pov on how people get hacked.
owasp cheatsheet and latacora blog are useful reference also.
understanding how companies offer these services also helps, e.g. clerk.com, ory.sh, auth0, okta, supertokens, etc.
understanding how authentication coincides with authorization helps too.
https://fastapi.tiangolo.com/tutorial/security/
After getting familiar, I self hosted Keycloak and integrated it with my FastAPI server.
https://www.keycloak.org/
Though not exactly a course, learning by doing helped me :)
It's a topic I'd be interested in writing more about, and I'm happy to start here if you would find it useful.
https://datatracker.ietf.org/doc/html/rfc6749
The introduction will give you a bit of a background. The most important to read (for now) is just the introduction up to chapter 2.
https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-09.htm...
From the spec:
"This Standards Track specification consolidates the information in all of these documents and removes features that have been found to be insecure..."
Security & IAM - https://cloud.google.com/architecture/security-iam
Other - https://cloud.google.com/architecture?_ga=2.121060044.-59389...
https://kerberos.org/software/tutorial.html
I founds this YouTube very informative as to how [all these things hang together](https://youtu.be/cUQcNi_obIc?si=HtZ9iLc76KF2iB2L). [This is perhaps relevant for passkeys](https://fedoramagazine.org/fido2-for-centrally-managed-users...)
Alternatively you can go down the OIDC or SAML paths (generally the path of a developer)
While I've worked with keycloak I've always found the [Curity's resources](https://curity.io/resources/openid-connect/) for understanding OIDC core and extensions very good.
The order in which you learn these things isn't really important but they're both important (but really depends on your problem domain)
* Solving Identity Management In Modern Applications is a great book offering an overview of the entire identity process, including provisioning (adding users), authentication and more. I read and reference the 2019 edition; don't have the 2023 edition but expect it is just as good: https://link.springer.com/book/10.1007/978-1-4842-8261-8
* OAuth2 In Action walks you through building an OAuth2 server from scratch (in JavaScript). You'll learn about the fundamentals of tokens, clients, registration, and more. Very accessible. https://www.manning.com/books/oauth-2-in-action
* The Security Engineering Handbook is great for foundational security knowledge, like 'What does a hash look like, and what makes a good hashing algorithm' as well as a lot of broader security topics: https://www.cl.cam.ac.uk/~rja14/book.html
* FusionAuth's vendor neutral articles: https://fusionauth.io/articles/ . I'd especially call out these two: The Modern Guide to OAuth, which walks through the multiple different ways the OAuth 2 authorization framework can be used: https://fusionauth.io/learn/expert-advice/oauth/modern-guide... (previous HN discussion: https://news.ycombinator.com/item?id=29752918 ), and the Math of Password Hashing: https://fusionauth.io/learn/expert-advice/security/math-of-p...
* The Beer Drinkers Guide to SAML is a great resource for understanding this (still) critical standard, plus just a fun read: https://duo.com/blog/the-beer-drinkers-guide-to-saml
* The RFCs and BCPs (as mentioned). I've also learned a lot by lurking on the OAuth mailing list, which is freely available: https://mailarchive.ietf.org/arch/browse/oauth/
* The Identity Unlocked podcast with Vittorio Bertocci (RIP). This is not about the basics at all, but is a deeper dive into the dev focused side of authentication, and will give you great pointers for more reading: https://identityunlocked.auth0.com/
* The OWASP guides are good but specialized. See for example: https://owasp.org/API-Security/editions/2023/en/0xa2-broken-...
* I have a substack where I talk about aspects of customer identity and access management that I think is pretty good :) : https://ciamweekly.substack.com/
I think this would be a great linkedin learning,...
- https://reactsecurity.io/ - https://EpicWeb.dev
It's more focused on application level architecture rather than the whole domain of AuthN/AuthZ, but I've found it's a decent reference for folks unfamiliar with a lot of the common issues one encounters in implementation.
https://www.oreilly.com/library/view/learning-digital-identi...