Atlas

Atlas — web authentication & security concepts

The grounding glossary. Every concept the portal covers, grouped by the eight capabilities from the Capability Map. One line each; marked concepts expand into full pages as the portal grows.

Legend: ★ deep-dive page · ▶ interactive demo · ⚑ regulatory touchpoint

0. Foundations — the OAuth/OIDC substrate

  • OAuth 2.0 ★ — delegated authorization: how an app gets permission to call an API for a user.
  • OpenID Connect (OIDC) ★ — identity layer on OAuth; adds the ID token (who the user is).
  • Authorization Code flow ★▶ — the only flow FAPI 2.0 allows; see Sender-Constrained Tokens for the full sequence.
  • Access / refresh / ID tokens — the API credential, its renewal, and the identity assertion.
  • Scopes & claims — what access is granted, and the facts about the user/session.
  • JWT / JWS / JWE ★▶ — signed or encrypted token; try the JWT decoder.
  • JWK / JWKS — public-key format and the endpoint that publishes keys.
  • Client: public vs confidential ★ — can it keep a secret? Drives the BFF question.

1. User Authentication — C1

  • WebAuthn ★▶⚑ — the browser API behind passkeys.
  • FIDO2 ★ — WebAuthn + CTAP; phishing-resistant auth.
  • Passkeys: synced vs device-bound ★ — convenience vs assurance.
  • Platform vs roaming authenticator — built-in (Face ID) vs external key.
  • Relying Party / RP ID — the origin binding that kills phishing.
  • Attestation — proof of what made the key.
  • SCA ★⚑ — PSD2: two factors + dynamic linking for payments.
  • Passwordless / OTP / TOTP — the weaker fallbacks and why.

2. Device Binding & Request Integrity — C2

  • Bearer token ★▶ — “whoever holds it, spends it”; the core web weakness.
  • Sender-constrained / PoP token ★ — bound to a key the client must prove it holds.
  • DPoP (RFC 9449) ★▶ — app-layer proof-of-possession; the heir to the mobile hash. Deep dive.
  • mTLS-bound token (RFC 8705) ★ — transport-layer PoP via client certificate.
  • Token binding claims (cnf, jkt, x5t) — how the token records its bound key.
  • WebCrypto + non-extractable keys ★▶ — the browser’s closest thing to a secure enclave; try the keygen demo.
  • Anti-replay (jti, nonce, iat) ▶ — stopping a captured proof being reused; see the DPoP proof builder.
  • Dynamic linking ★⚑ — PSD2: bind the specific amount + payee.
  • PKCE (RFC 7636) ★▶ — proves the app that started the flow finishes it; PKCE lab.

3. FAPI & Request Protection

  • FAPI 1.0 vs 2.0 ★ — old two-tier profiles vs the single attacker-model-driven 2.0. Deep dive.
  • FAPI 2.0 Security Profile ★⚑ — the bank-grade rulebook.
  • PAR (RFC 9126) ★▶ — push the auth request to the back channel first; walk it in the FAPI flow demo.
  • iss parameter (RFC 9207) — kills mix-up attacks.
  • private_key_jwt (RFC 7523) ★ — asymmetric client auth, no shared secret.
  • Redirect-URI exact matching — closes open-redirect exfiltration.

4. Browser-Side Security — C3 (declarative)

5. Client-Side Code Integrity — C3 (code)

6. Anti-Phishing — C4

7. Gateway / API Edge — C5

  • API gateway ★ — the single policy-enforcement point.
  • Channel-aware policy ★ — different token rules for web vs mobile, same downstream APIs.
  • WAF — signature/rule-based filtering.
  • Bot management ★ — separating humans from scripted traffic.
  • Rate limiting / velocity — blunt brute-force and stuffing.

8. Fraud, Malware & Device Intelligence — C6 / C7

9. Risk Decisioning & Adaptive Response — C8

10. Standards & Regulation ⚑


~95 concepts · ~40 deep-dive pages planned · ~15 interactive demos. Phase 1 shipped the FAPI/DPoP spine; Phase 2 added the browser-side threat cluster, front-door auth, and the standards thread; Phase 3 added the risk layer (C6–C8), the BFF-vs-SPA architecture question, and the demos that make sender-constraining tangible — a real non-extractable WebCrypto key and a real, verifiable DPoP proof. The long tail of remaining ★ entries fills in incrementally, not as a blocking phase.