TL;DR: we are launching a podcast in which we interview identity standards experts on the latest trends and specifications, focusing on the concrete impact on development practices.
How "Identity, Unlocked" was envisioned
Today’s rich internet-powered experiences would not be possible without the widespread adoption of OAuth2 and OpenID Connect standards. By taking care of authentication and authorization in an implementation-independent manner, standards-compliant services and SDKs stops developers from wasting precious cycles reinventing the wheel, freeing time to focus on what they really want to achieve.
Although adding sign-on to web apps and calling APIs using delegated authorization can usually be achieved using SDKs and services, leaving them the grunt work of generating and interpreting standard-compliant messages, it is not always possible to totally ignore the implications that come with choosing this or that particular protocol flavor.
Last year, the OAuth working group at IETF (Internet Engineering Task Force) established that times were finally ripe to abandon the OAuth2 implicit grant as the (begrudgingly) recommended practice for securing API calls originating from single-page apps, favoring the safer authorization code grant, and started the process of updating the specs accordingly.
The working groups operate transparently; hence news of the initiative rippled outside the cohort of people working on standards, reaching the general developer population. What followed were weeks of confusion and, in some cases, outright panic. Most people had no idea that their apps were using the implicit flow, a detail abstracted away by SDKs, and didn’t know how to react to the news. Was there a new vulnerability in the open that required immediate intervention? Were their customers at risk right now? That wasn’t the case. In the end, as more information and explainers surfaced, the worst reactions were curbed.
Those reactions are understandable. Specifications are full of nuances that can only be understood in context; they use very precise language that strives to be concise and channel hard-won consensus, which often makes it difficult to discern true intent without having been part of the discussions that led to that particular outcome. No wonder people unfamiliar with the process (and the domain) have to resort to reasoning by soundbites. Even doing one of the many classes available online for getting up to speed with the core specifications (a couple we use to ramp up Auth0 employees are free: Learn Identity and OpenID Connect Pro Guide) won’t prepare you for fully appreciating the implications of the latest advancements.
Vittorio and Brian Campbell recording the first episode of Identity, Unlocked
The fact is, staying on top of identity specifications developments is literally a full-time job: there are folks who do that for a living, and even then, it’s not uncommon to see some degree of specialization (e.g., people being active in the OAuth community but not as much in the OpenID one). The only entities with bandwidth and expertise to tackle that activity are companies and individuals who made identity their career. And yet, the decisions made in those halls affect everyone, as they ripple through the industry and ultimately affect what is achievable in development and experienced by end-users. Wouldn’t it be great if we could find a way to make specification news more accessible to everyone?
While reasoning about the problem, I kept going back to a scene that will be familiar to most identity experts. You are at the bar with a fellow identirati, enjoying a drink after a full day of conference activities, discussing the most interesting sessions of the last few hours. Here’s the key point: if there is someone in the group that’s not an identity expert, every effort will be made to keep the conversation light on jargon and discuss problems in terms they can relate to, keeping the conversation as inclusive as possible; encouraging participation.
The thought went on: what if we’d try to recreate the same dynamic, and make the outcome widely accessible in the form of a podcast? We could just have a chat between strongly opinionated friends who happen to work in the identity specs space, with microphones instead of drinks, and explore important topics - teasing out perspectives and info that are otherwise VERY hard to come by without being a full-time identity person.
I pitched the idea in Auth0 and found enthusiastic support.
The outcome is Identity, Unlocked - a podcast following precisely that format: a chat among friends about identity spec topics, discussed in a format that never loses sight of concrete development applications.
What should we expect from the first season
In this first season of Identity, Unlocked I chat with some of the bigwigs of identity specifications - people like Brian Campbell, Dick Hardt, Pamela Dingle, John Bradley, Daniel Fett, Aaron Parecki - covering a wide range of topics that go from the immediately consequential (e.g., OAuth2 Security BCP, OAuth2.1) to the future looking (e.g., GNAP). Those folks are sharp and funny- chatting with them was great fun, and I am convinced you’ll find the result very informative.
We’ll release our first episode on September 14th, chatting with Brian Campbell, exploring sender constraints in general, and DPoP in particular. From then on, we’ll release a new episode every two weeks - for a total of 6 episodes run.
Although there are plenty of instructional initiatives for protocols (e.g., OAuth 101 explainer articles, books, videos, etc.) and many other podcasts tackling identity from the products and trends perspective, we saw an opportunity to bridge the gap between ultra-specialized specification talk and practical application. Let me tell you; it is hard. Some of the topics are so specific that they might remain difficult for some, no matter how much context we tried to provide. With each episode, we’ll post a blog that helps explain some of the more complex topics in more detail.
That’s one more reason for which we are super excited to finally make the podcast available to you - we can’t wait to hear your feedback!
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding more than 4.5 billion login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.