TL;DR: Every new technical hire at Auth0 goes through two days of technical onboarding. Today we are making the lecture portion of that training available to everyone, for free.
"Take a guided deep dive into the complexity of identity with Auth0 Principal Architect @vibronet. 4 hours of our technical onboarding lectures — for free!"
Understanding Identity: The Journey of New Auziros
Identity is complex. When you identify the job to be done, the particular task you want to accomplish, providers such as Auth0 can make it possible for you to add authentication and other identity-related functionality at the flip of a switch: you no longer experience the complexity, but the complexity never disappears. It has now transferred to the provider, who must thoroughly analyze the task you want to accomplish and make sound decisions about what's the most appropriate protocol flow to use, what reasonable defaults should be selected, what values should be hidden from view and what controls should be surfaced as configurable, what security measures are warranted... and many, many other design, planning and implementation aspects. Our customers don't need to sweat the details, but we do... and as a general rule, the easier the experience you enjoy, the more work has been poured into it behind the scenes.
One inescapable implication of the aforementioned situation is that the Auth0 personnel must have identity competence (what I often call the "identity IQ") that goes wide and deep: on fundamentals, traditional aspects (to know how to integrate with existing systems) and modern approaches. That's a kind of competence that isn't common on the market, especially if you compound it with the robust orientation toward developers of our offering and culture.
And yet, grow we must... Auth0 has been growing at a significant pace, continuing to double in growth and revenue year-over-year, and to sustain that growth we need to acquire talent that, while meeting our high bar (did I mention we are hiring? Take a look here), doesn't always bring as dowry the deep identity IQ we need to develop and operate our service. Faced with this conundrum, we didn't have much choice but to devise ways to teach identity to our new hires.
Why We Are Making Our Technical Onboarding Available
If you've been working in this space for a while, you know that this can be real tricky. Identity IQ isn't just learning by rote the name of the protocol artifacts and what knobs to turn in dashboards and SDKs to achieve a certain effect. True competence is mostly demonstrated when making decisions. Every day, Auth0 employees must make sound decisions on how to model specific scenarios, how to represent real world entities in the protocol artifacts with the most fitting characteristics, what attack surface will come with a particular architecture, and so on. Those decisions must withstand the test of time, must gel with prior art, must gracefully scale when necessary, and all the other good properties one expects from solid engineering practices.
With all of that in mind, we examined the available literature on identity and development. Although there is a lot of good content out there, most of it was either too protocol centric (describing the protocol as a thing in itself, rather than a tool for solving real life problems), too scenario specific (not explicitly connecting the dots between development practices and protocol choices) or quite outdated. Given the strategic importance of keeping our identity IQ high, we decided to bite the bullet and... develop the content ourselves.
Every new Auziro (our nickname for Auth0 employees) begins his or her journey with few days of in-person training in our Bellevue headquarters. We started running classes once a month, experimenting with different formats and content — and eventually converged in the current course: a two days full-immersion class of heavily interactive lectures, punctuated by hands on labs designed to give attendees first hand experience of the theory learned up to that point.
The feedback has been consistently positive, and the course proved to be very effective in equipping people not just with essential knowledge, but with the right command of the terminology and fundamentals necessary to understand the literature out there and contextualize new knowledge. This is now established practice and a staple of starting one's journey with Auth0. And for the cases where logistic doesn't work and a trip to Bellevue isn't feasible, we pre-recorded all lectures in professional videos for a self paced experience. Hold this thought, as I will come back to it shortly.
After few months of successes, someone had the idea to experimenting with delivering the class to customers and partners. I have to admit that at first I was skeptical — isn't Auth0 job to take on the burden of complexity, why should I bother the customer with the reasons behind the use of Nonce or why PKCE is necessary when using the system browser? Would they even care?
As it turns out, I was dead wrong — they cared A LOT. We delivered classes in London and Bellevue, Copenhagen and Oslo. In all cases, we filled the room with CTOs, architects, star developers and in general people whose responsibilities include making medium and long term strategy decisions for their company. They all gave glowing feedback, with some of them admitting that the class finally helped them to fully understand some aspects of the protocols and practices that they never managed to crack before. Some other shared that they've been looking for similar content for a long time, but they weren't able to get quite what they needed- until now.
"Some of the information I received today contradicts with our assumptions within the team about OAuth standards. Most of the information received will help me and the team make better decisions about auth flows." – Architecture Lead, Global Travel Aggregator
"Very useful. I work with a lot of businesses where identity is always a key part and not only has it given me more confidence and knowledge of Auth0 but in identity as a topic as well." – Partner, Cloud Architecture consultancy
"We had a great discussion. It's not every day that I get to talk so geekily in-depth with an acknowledged thought-leader in identity." – Distinguished Architect, B2B software multinational
Which brings us to today. Given the positive feedback we received, we decided to open up access to our classes to anyone. If you navigate to https://auth0.com/docs/videos/learn-identity/, you'll find the complete collection of identity lectures we recorded for our technical onboarding — available to you for free.
The Identity Course
The lectures you find at https://auth0.com/docs/videos/learn-identity/ are meant to help the viewer gain deep understanding of OAuth2 and OpenID Connect, down to the use specific parameters in particular messages of a given grant. Unlike a lot of the protocol content you might have consumed in the past, however, the course refers to scenarios and problems to be solved as highest order bit. Instead of hitting you with the laundry list of all the artifacts described in the specifications, the course introduces the concepts required to solve a specific problem only when the scenario requires it. This helps with understanding the whys behind each choice, and positions each artifact in the right context — providing obvious explanations for otherwise baffling things that neophytes are usually forced to swallow as articles of faith, such as why one goes to authenticate to the authorization endpoint, or why a web site is called a client even when it's clearly the resource we are gating access to.
The other side of the coin is that every explanation builds on the concepts already covered, hence to get the most from the class the content should be consumed sequentially and without skipping any part.
The content is really designed to be interactive, for classes under 20 people — where it's not uncommon to have 15 mins detours to dig in some specific scenario that happens to be of interest for a particular cohort; that is also the reason for which the slides supporting the narration are all designed to be rearranged on the fly, by dragging clipart around and scribbling on screen whatever impromptu explanation the discussion requires.
We clearly cannot offer the same dynamic in pre-recorded videos; however we compensate for that by providing very granular bookmarks. Each concept and subtopic has been indexed and surfaced in form of link below the video, allowing you to form an idea at a glance of the specific points being discussed, and to jump directly to the right time in the narration. We observed this to be particularly useful when reviewing the material and looking for a quick refresher. In fact, we made sure to make every bookmark available as an absolute URL — we envision using those as references during discussions, posts on forums, tweets and any context requiring a bite size explanation of specific identity concepts.
As of today, we cover the following topics:
An intro to the history of protocols — how the modern protocols came to be, what problems they were meant to originally solve, and how they emerged in response of the main challenges of each era
Using OpenID Connect for implementing web sign on in a traditional web app
Using OAuth2 for gaining delegated access to an API from a traditional web app
Using OAuth2 and OpenID Connect to invoke API from native clients (mobile, desktop, etc)
Using OAuth2 and OpenID Connect to invoke API from SPAs (including a discussion of the implicit vs code+PKCE)
The discussion starts extremely high level, but quickly dives deep - grants are picked for their ability to solve an abstract scenario, but are examined down to the network traces level. No concept is ever presented in isolation, but always annotated with the whys behind it and the implications of choosing one approach vs another. The highest order bit remains equipping the viewer to make good decisions.
"Free access to Auth0 technical onboarding lectures with Principal Architect @vibronet!"
Where to go from here?
The next step is to upload the hands on labs, so that you can taste the complete onboarding experience. We don't have an ETA to offer at this point, but it's something we'd like to do very soon.
Another likely evolution is that we might publish the course on its own web site. Today it's embedded in our documentation, a solution that allowed us to make the videos available to you quickly, however depending on your feedback we might repackage them (or updated versions) in their own space. Leave your feedback in the comments!
Finally. The fact that we published the video doesn't mean that we will not do more in-person workshops. There is a lot of value in discussing those topics in person and dig in specific areas as needed by each specific group of participants, so we'll still occasionally do pop up in-person classes around the world. If you are interested in one of those events, let us know by reaching out to an [Auth0 Resource](mailto: firstname.lastname@example.org).
In the meanwhile, please enjoy the videos. We hope they'll help you to catch the identity bug and get passionate about identity as much as we all are here at Auth0!