Article posts

  • What happens to the tokens after an OAuth Authorization Code grant?

    At the end of the OAuth Authorization Code grant, after a user presents their credentials at login, a code is returned which can be exchanged for one or more tokens at the token endpoint.

    These tokens include an access token, an optional refresh token, and an optional id token. The access token is used to get access to different APIs and protected resources. The refresh token lets you mint new access tokens, and the id token is used by the client to display information about the user.

    READ MORE
  • OIDC vs SAML: What's the Difference?

    It’s essential for digital platforms to keep their data and resources secure, which is why authentication protocols are so necessary. Authentication protocols are sets of rules used to determine the identity of an entity (such as an end user, application, or device) before granting access. This differs from authorization in that authentication is concerned with identity, while authorization is concerned with permissions. Although authentication is followed by authorization, the reverse is not typically true.

    READ MORE
  • Single Sign-On vs. Single Logout

    Single sign-on (SSO) is an authentication method that allows users to access multiple applications with one set of login credentials. It provides secure access to numerous applications, making logging into applications easy while alleviating the burden of authentication and authorization for application developers.

    READ MORE
  • Authenticators, Ceremonies, and WebAuthn, oh my!

    Unless you use two-factor authentication (2FA) with your password logins, you’re prone to cyberattacks. This is where Web Authentication (WebAuthn) can help.

    WebAuthn is an authentication standard that uses asymmetric cryptographic keys to authenticate users instead of passwords, mitigating cyberattacks. With WebAuthn, users can authenticate using their devices (with biometrics) without having to remember their passwords, store them, or worry about them getting compromised. The WebAuthn credentials are also known as “passkeys”.

    READ MORE
  • Why consider cross-platform gaming accounts?

    More and more games are launching across two or more platforms. One of the prime reasons why game developers go cross-platform is to leverage a larger market. Being able to sell products to a whole new set of users is an incredible win for game developers, and demand for cross-play from gamers is increasing as well.

    READ MORE
  • Hackfests at FusionAuth

    Hackfests, also called hackathons or fedex days (because you “ship in a day”), build team cohesion and allow for exploration of new technologies and processes.

    FusionAuth has been doing hackfests for a few years now. I wanted to document the what, why and how of them.

    READ MORE
  • What is WebAuthn and why should you care?

    WebAuthn is a new way for people to authenticate themselves to web applications. It’s a widely supported standard years in the making. All major browsers work with it, which makes it easy for developers to incorporate WebAuthn into websites.

    WebAuthn, commonly called “passkeys”, allows users to leverage the power of biometric methods via a simple browser-native user experience.

    READ MORE
  • How single sign-on works

    Single sign-on (SSO) is a key part of any customer identity and access management (CIAM) strategy.

    Why? Because your organization will almost always have more than one application for your customers. Even if you begin with one custom application, SaaS tools such as support forums, ticketing systems, or chat systems require authentication. You won’t want your users to have to log in to more systems than necessary, and SSO can help with that.

    READ MORE
  • Is the OAuth Device grant right for your game authentication needs?

    The OAuth device authorization grant is an extension of OAuth 2.0. Because OAuth is an authorization protocol, it enables users to gain access to an application or device by allowing it to use account information from another application or device.

    READ MORE
  • Three tips for handling spiky gameday launches

    Congrats! Your new massively multiplayer online (MMO) game is ready and you’re all set to launch. However, you’re not sure whether your servers can handle the load or whether the registration will fail under extreme load on launch day. If things really go wrong, you might lose users and revenue, which could possibly even lead to the failure of your game.

    READ MORE
  • Critical infrastructure and latency in gaming

    While esports competitions are high skill cap events, both hobby gamers and elite professionals alike expect optimal network conditions when they play games. A suboptimal network can turn an enjoyable event into an infuriating one that drives players away.

    READ MORE
  • What is SCIM?

    SCIM is a specification to add and remove users and groups using a standard protocol.

    READ MORE
  • Why is there no authentication in OAuth?

    OAuth, a standard for securely delegating authorization information, and OIDC, a profile written on top of it to securely transmit user profile data, both rely heavily on authentication of the user (also known as the ‘resource owner’) at the authorization server. The authorization server issues tokens only after the user has been authenticated to its satisfaction.

    However, there is next to no guidance about how to actually authenticate the user. Should I use a username and password? A magic link? Delegate to a third party? Require a TOTP code?

    This question came up in a discussion amongst the FusionAuth team and I thought it was worth digging into a bit more.

    Why exactly is ‘authentication’ undefined in OAuth/OIDC?

    READ MORE
  • Why secure gamer's user accounts?

    As the industry continues to grow, gaming is becoming a way for users to make money in addition to being a form of entertainment.

    Gamers need to be able to track and save their progress to qualify for prize money, esports league salaries, or sponsorships, as well as add to their streaming content or videos on demand. Their unique user accounts are vital to their success.

    READ MORE
  • Customer Identity and Access Management (CIAM) vs Identity and Access Management (IAM)

    Both Customer Identity and Access Management (CIAM) and IAM (Identity and Access Management) are about people who are users of your system: who can access what, how do they prove who they are, and how you manage access over time. Though there are similarities between CIAM and IAM, at their heart they serve different needs.

    Let’s take a look at these two identity management archetypes and see how they differ.

    READ MORE
  • FusionAuth announces BioTech™

    FusionAuth is proud to announce a breakthrough in user security, BioTech™. This new technology will help users around the world more easily secure their accounts and data.

    READ MORE
  • Zero Trust and How IdPs Factor Into It

    Years ago, before the widespread adoption of cloud and SaaS-based offerings, IT security was arguably simpler. For a while, you could assume with a decent level of confidence that anyone inside your corporate network was meant to be there and could be trusted. Meanwhile, anyone outside the network was not to be trusted.

    This is no longer the case.

    READ MORE
  • When to self-host critical application components

    In April of 2021, Auth0, an identity provider powering authentication for hundreds of websites, experienced an hours-long outage. During the outage, users could not access their authentication portals and many of their websites were rendered unusable due to the broken authentication flows.

    READ MORE
  • How to Protect Your Organization From Auth Vendor Lock-in

    Years ago your team decided to use a third-party auth system to avoid the time and cost of building one in-house. But now a better option has hit the market and you’re wanting to make the switch. Except, hold on, your old system is so deeply ingrained into your organization that you’re practically locked-in to your current vendor.

    READ MORE
  • How to mitigate risk when your auth vendor gets acquired

    Authentication is an integral part of your application, and as such the acquisition of your auth vendor isn’t like other acquisitions. It could mean many things for your business, and you’ll have to decide how to respond accordingly.

    READ MORE
  • Why use a standardized auth protocol?

    Software applications regularly need to gain access to data from other services on behalf of their users. An application may need to grab a list of user’s contacts from a third-party service, such as their Google contacts. Or it might need to access a user’s calendar so the application can create calendar entries for the user. Larger organizations often require employees to have passwordless access to all the applications and services needed to do their jobs.

    READ MORE
  • Security and privacy risks when implementing an auth system

    Given the increase of data beaches in the past few years, it’s more important than ever for software engineering leaders to prioritize security, quality development practices, and robust governance controls. Your customers’ trust is on the line—and that’s the lifeblood of any business that wants to keep growing.

    READ MORE
  • What's Wrong With the OAuth2 Implicit Grant?

    The Implicit grant is part of the OAuth 2 RFC, but is one of the features omitted in the OAuth 2.1 specification. With this grant, you don’t have to write server side code. Instead of having to exchange an authorization code for an access token, you are provided an access token on redirect.

    READ MORE
  • What to consider before choosing an open source auth provider

    Open-source authentication providers are popular because anyone can review much or all of the code that powers them. This availability can be especially helpful in evaluating whether a particular authentication provider will work for your use case. In addition, if you want the source code for any number of reasons (e.g., the provider could go out of business or get acquired), open source is basically tailor-made for that.

    READ MORE
  • The what, why and when of multi-factor authentication (MFA)

    As more of our lives and data move online, multi-factor authentication (MFA) becomes increasingly important to help keep our accounts secure. As a user, you should enable MFA on accounts with valuable data. But as a developer or software creator, you need a deeper understanding of MFA, why it’s important and when to require it.

    READ MORE
  • FusionAuth releases SimplePass™

    FusionAuth is proud to announce a breakthrough in user security, SimplePass™. This new technology helps users around the world remember their passwords.

    READ MORE
  • How to get the most out of a free auth provider trial

    When you’re evaluating authentication providers, one of the main building blocks of any software product, you want to make sure you won’t regret your choice a few months or years later.

    READ MORE
  • Approaches to user account migration

    Migrating user data is fraught with risk. Of course, migrating any data is tough, but user accounts are even harder because any issue with the transfer affects human beings. Whether employees, customers, or potential clients, humans tend to react negatively to applications being inaccessible.

    There are a few different approaches to migrating user accounts. Each of these works, but has different risks, timelines and implementation approaches.

    READ MORE
  • Migrating off of Auth0? Here's what you need to know

    Pssst. You may have heard that Auth0 was recently acquired by Okta. If this has you considering migration options, read on. This post will provide a strategy for determining if a migration makes sense, and discuss what you’ll need to consider if it does.

    READ MORE
  • Auth specific scaling challenges

    Modern authentication is built on hashing passwords using computationally expensive algorithms. Because of this intense CPU usage, there’s a push-pull relationship between robust security and scalable solutions. Since security is so critical, and frankly nonnegotiable, you’ll have to grapple with the challenges of scaling your authentication.

    READ MORE
  • Authentication as a Service Security Due Diligence Tips

    Within today’s software development ecosystem, third-party vendors are a common part of system architecture.

    Specifically, Authentication-as-a-Service (AaaS) is growing fast. Their out-of-the-box capabilities enable engineering teams to focus on building features valuable to business rather than spending time and resources on reinventing the wheel of securing application access.

    READ MORE
  • Outsourcing auth: how to get buy-in from your team

    You lead a team of engineers, and your team is responsible for building out a new customer-facing product that could have a huge impact on the trajectory of your company. Lately you’ve been considering whether or not rolling your own authentication system is a good idea. You’ve spent a lot of time and effort carefully weighing the pros and cons, and you’ve come to the conclusion that home grown auth is not in the best interests of your company.

    How do you go about talking to all the relevant stakeholders about this choice?

    READ MORE
  • Hide upstream identity providers with the Auth Facade

    During conversations with FusionAuth customers, I have seen a common deployment pattern I call the “Auth Facade”. This architecture is useful when deploying software to heterogeneous environments. You and your team are building an application which will deploy onsite. This could be into a data center, an isolated network, or a private cloud. These environments are run by your customers and you have limited insight into their configuration.

    READ MORE
  • Why outsource your auth system?

    You’re a software engineering leader, and you’re great at your job. You know that the optimal path for software development lies in figuring out which components of your design to implement from scratch and which have already been implemented by specialists and can be reused.

    READ MORE
  • GNAP, the next generation of OAuth

    The Grant Negotiation and Authorization Protocol, also known as GNAP, is currently being formulated in an IETF working group. This protocol will not be backward compatible with OAuth2. However, since it is a new major auth standard and is currently in development, you should give it some attention.

    READ MORE
  • Breached password detection best practices

    Breached password detection may be the wave of the future, but some third-party solutions are better than others. Performance, flexibility, ease of use, user experience, and value can vary greatly. Keep these best practices in mind when choosing the solution that is right for your organization.

    READ MORE
  • The Auth Bottleneck Pattern

    One common pattern for modern organizations is to centralize user management with a bottleneck architecture. A solid user management system is provisioned and all authentication and authorization requests are routed through it, rather than individual applications having their own auth components.

    READ MORE
  • What's new in OAuth 2.1?

    Hey look! OAuth is getting spiffed up a bit. The original OAuth 2.0 specification was released in October 2012 as RFC 6749. It replaced OAuth 1.0, released in April 2010. There have been some extensions over the years. A new OAuth specification has been proposed and is currently under discussion. As of this blog post’s writing, the specification was most recently updated on March 8, 2020. If approved, OAuth 2.1 will obsolete certain parts of Oauth 2.0 and mandate additional security best practices. The rest of the OAuth 2.0 specification will be retained.

    READ MORE
  • DataStax's Switch to FusionAuth - A Case Study

    It was a frustrating day when DataStax found out their identity provider was shutting down with very little notice. They needed to switch fast, and they needed to do it without disrupting their customers and the DataStax Academy. Thankfully they found FusionAuth.

    READ MORE
  • User Data Security is a Breach

    If you follow us on Twitter (if you don’t, you can fix that now) you’ll see that we post about data security breaches hitting the internet community. We don’t do it to be malicious or gloat about their failures, but to increase awareness beyond the core community of security professionals. We deal with security every day so we know that keeping data secure is a complex challenge. Few people are well-versed in its many facets and subtleties, and it can be difficult to stay informed of the current trends and risks. We hear all the time “See? You can’t stop cyber breaches.” Fortunately, that’s a load of crap.

    READ MORE
  • Is FusionAuth GDPR Compliant?

    It’s been about a year since the General Data Protection Regulation (GDPR) became fully enforceable. Are you compliant yet? We started making FusionAuth GDPR compliant as soon as the regulation was adopted, although to be honest, there wasn’t a lot we needed to do. We fully agree with these regulations and feel they provide effective guidelines that any application should follow with their users’ personal data. If you are trying to catch up with the GDPR news, read our Developer’s Guide to the GDPR here and you’ll have a good idea of what you should be aware of. Our developers have been working with these concepts for years now, so it was exciting to see our caution around user data validated.

    READ MORE
  • Stop Storing My Plaintext Password

    Believe it or not there are still companies emailing users with plaintext passwords. Worse yet, some systems are storing plaintext passwords in the database. Storing or emailing plaintext passwords can increase security vulnerabilities by as much as 10x. Just freaking stop!

    READ MORE
  • 6 Ways The FusionAuth API Is GDPR Ready

    The GDPR is a complex regulation, but at its most basic level it requires organizations to provide “data protection by design and default.” FusionAuth is built with a powerful REST API that gives developers the tools they need to adhere to the requirements of the GDPR quickly and easily. On May 23, 2018 FusionAuth’s CEO Brian Pontarelli presented to Colorado’s technology leaders about how the GDPR and data privacy will affect US companies, and went into detail about how the FusionAuth API is well-suited to help companies stay GDPR compliant and avoid risks of fines and data restrictions for data protection violations.

    READ MORE
  • Got Users? How About 100 Million of Them?

    FusionAuth User Registration Hits 100,000,000 in Load Test

    Did you know that each time you log into Facebook, check your email or fire up Fortnite, a software engineer has thought about user registration and authentication. Hopefully she has thought a lot about it. For example, what happens if Call of Duty goes offline for maintenance and then six million users try to log back in at the same time? It could take days for users to get back online if peak loads aren’t planned for.

    READ MORE
  • Data Partners And The GDPR - Questions To Ask

    By now, you should be fully aware of the GDPR’s data requirements for your own application, but have you talked with your data partners? If your application takes advantage of third-party tools and components to add functionality or track user information, they need to be compliant as well. The new regulations state that data privacy needs to be maintained throughout the entire lifecycle of an application, through every data controller and processor. Take the time to ask your data partners how they ensure GDPR compliance, including their security framework and how they manage data.

    READ MORE
  • Multi-tenancy in a Single-tenant Architecture

    While FusionAuth is fundamentally a single-tenant solution, we do support multiple tenants within a single-tenant instance. In this post I’ll outline a few of the common use cases we solve with our tenancy feature.

    READ MORE