authorization (usually RBAC) can be integrated to authentication
see policy-management for fine grained control

sessions + cookies
tokens + local/session storage

Handling Authentication Secrets in the Browser - miguelgrinberg.com
Secure your users' passwords from the browser on

Facebook, GitHub team up to better secure password resets | InfoWorld
Delegated Account Recovery

Spring Security Registration Tutorial | Baeldung

Authentication Protocols

Basic access authentication - Wikiwand
Digest access authentication - Wikiwand
Secure Remote Password protocol - Wikiwand

does not to mandate SSL/TLS

RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication
RFC 7235 - Hypertext Transfer Protocol (HTTP/1.1): Authentication

Access-Control-Allow-Origin: * does not allow requests to supply credentials like HTTP authentication, client-side SSL certificates, or cookies. You have to use Access-Control-Allow-Headers: Authorization, X-Token to allow those headers.

Use MAC with server nonce instead of send password, allows authentication over non-secure channel.
Message authentication code - Wikiwand
HMAC - Wikiwand hash-based message authentication code
hapijs/hawk: HTTP Holder-Of-Key Authentication Scheme

Implementing the right Email Verification flow - DEV Community

Using Netlify Forms and Netlify Functions to Build an Email Sign-Up Widget | CSS-Tricks

Auth as a Service

Stop Building Auth: a case for using prebuilt authentication in React Native | Theodo

Stytch’s API-First Approach to Passwordless Authentication – The New Stack

Magic: Future-proof passwordless authentication paid service
Developer-Friendly Passwordless Auth | CSS-Tricks

Pricing - Auth0 free 7000 monthly active users
Auth0 in 100 Seconds // And beyond with a Next.js Authentication Tutorial - YouTube

Authdog — Identity & Access Management for Developers | Pricing free 10000 monthly active users

Clerk | Authentication and User Management free 5000 monthly active users
Passwordless Authentication & Login in Next.js with Clerk - YouTube

Auth. Built for Devs, By Devs - FusionAuth OIDC and OAuth server

Oso | Batteries-Included Authorization

Never Build Permissions Again | Permit.io

Ory - Open Source Identity Solutions For Everyone
Welcome to Ory! | Ory

Stytch’s API-First Approach to Passwordless Authentication – The New Stack

Firebase

Firebase Authentication
Authenticate with Firebase using Password-Based Accounts using Javascript

Firebase Pricing 10k/month free tier

Netlify

netlify/netlify-identity-widget: A zero config, framework free Netlify Identity widget
Netlify Identity Widget

Getting Started with JWT and Identity | Netlify
Authenticate users with Netlify Identity | Netlify Docs
netlify/gotrue: An SWT based API for managing users and issuing SWT tokens
Introducing Built-in Identity Service to Streamline User Management | Netlify

OpenFGA

Fine Grained Authorization | OpenFGA
OpenFGA
Based on Zanzibar, Google’s Consistent, Global Authorization System

Multi-factor Authentication (MFA)

Multi-factor authentication - Wikiwand
What is multifactor authentication (MFA)? - Definition from WhatIs.com

Bruteforcing MFA & Fail2ban Manipulation - TryHackMe! (Biteme) - YouTube

TOTP

Time-based One-time Password algorithm - Wikiwand
RFC 6238: TOTP: Time-Based One-Time Password Algorithm

Google Authenticator - Wikiwand
Google 2-Step Verification
Setting up Google Authenticator is as easy as scanning a QR code

LastPass Authenticator
Use 1Password as an authenticator for sites with two-factor authentication
Guides - Authy

Advanced Protection Program
Use your Android phone's built-in security key - Google Account Help

FIDO

FIDO Alliance - Open Authentication Standards More Secure than Passwords
FIDO2: Moving the World Beyond Passwords using WebAuthn & CTAP
FIDO2 Project - Wikiwand
How FIDO Works - Standard Public Key Cryptography & User Privacy
The ultimate account security is now in your pocket

Apple, the FIDO Alliance and the future of passwords | Computerworld

What is Passkey? | Trusted Reviews

physical keys
FIDO2 | Yubico
Titan Security Key Bundle, FIDO U2F BT & NFC - Google Store

Auth.js

originally NextAuth.js

Auth.js work with OAuth 2 or OpenID Connect provider

Passport.js

Passport.js
Passport.js - Strategies

Using Passport With Sequelize and MySQL

WebAuthn

WebAuthn.io
WebAuthn - Wikiwand
Web Authentication API - Web APIs | MDN
Web Authentication: An API for accessing Public Key Credentials Level 1

ACL

Role-based access control - Wikiwand
XACML - Wikiwand

The Identity Cookbook: Blockchain for Identity: Access Request Management
Improving Enterprise Business Process Management Systems: Enrich RBAC and ABAC with ProBAC

Blockchain

The Identity Cookbook: Blockchain for Identity: Access Request Management
Anatomy of a zero-knowledge web application - Clipperz, register your creations on the blockchain

SQRL

GRC's |SQRL Secure Quick Reliable Login
SQRL

Server Based

Server generates session token and send to client via cookie. The session token acts as a bearer token and is used to look up login/session info in memory or datastore.

On Securing Web Session Ids – hueniverse
expressjs/session: Simple session middleware for Express

Asymmetric Key

BrowserAuth.net using asymmetric-key for web

substack/trust-log: manage trust over time
mafintosh/ghsign: Sign/verify data using your local ssh private key and your public key from Github

Token Based

"Server Based" and "Token Based" could be a misnomer.
Some articles says server-based auth bind a client to a specific server but this is not actually true. We can setup a in-memory datastore shared by a cluster of app servers to look up the token upon a client request.
And tokens in token-based auth may as well be stored in cookies. It's just that all session info are embedded in the token in token-based auth. This separates authentication (key generation by key server) and authorization (role enforcement by app server) and allows for 3rd-party key server architecture.

The Ins and Outs of Token Based Authentication | Scotch
Best practices for token-based authentication in REST API - Google Groups.desktop
Token Based Authentication for Single Page Apps (SPAs)
Token Authentication: The Secret to Scalable User Management - Stormpath User Identity API
Token-Based Authentication With AngularJS & NodeJS - Tuts+ Code Tutorial
Cookies are bad for you: Improving web application security - sitr.us

Authentication in SPA (ReactJS and VueJS) the right way
Cookies vs Tokens. Getting auth right with Angular.JS
10 Things You Should Know about Tokens

Stop using JWT for sessions - joepie91's Ramblings
Stop using JWT for sessions, part 2: Why your solution doesn't work - joepie91's Ramblings

A Token Walks into a SPA - YouTube
hapijs/hapi-auth-cookie: Cookie authentication plugin is actually a token based authentication

roblevintennis-passport-api-tokens · GitHub

Why Using Tokens and Cookies Together is Better for Web App Security | by Ashan Fernando | Bits and Pieces STS sends JWT to backend to set session cookie
Goodbye Short Sessions: a proposal for using service-workers to improve cookie management on the web | Web Updates - Google Developers

There are three ways to send your access token in a request.

In an HTTP Authorization header (always works)
In the URL query string (only works with GET requests)
In the request body (only works for POST & PUT when body is URL-encoded)

Bearer token clients

angular-token-auth/auth.client.js at master · auth0-blog/angular-token-auth
talis/bearhug-angular: Response interceptor for elegant bearer-token handling for angular's $http service

[AuthorizationServer/callback.cshtml at master · IdentityModel/AuthorizationServer](https://github.com/IdentityModel/AuthorizationServer/blob/master/samples/Flows/Implicit Flow (JavaScript)/callback.cshtml)

sahat/satellizer: Token-based AngularJS Authentication

Questions

Token based auth allows for RBAC (Role-Based Access Control), but other method can support RBAC as well (with a session lookup)

OAuth vs JWT vs OpenID

replay attack with bearer token
OAuth 2.0 (without Signatures) is Bad for the Web | hueniverse
OAuth Bearer Tokens are a Terrible Idea | hueniverse

auth0/node-auth0: Node.js client library for the Auth0 platform.
node-auth0/examples/nodejs-regular-webapp at master · auth0/node-auth0
node-auth0/examples/nodejs-api at master · auth0/node-auth0
auth0/cookie-jwt-auth
why store back to cookie?

auth0/spa-jwt-authentication-tutorial - JavaScript

Adding authentication to your React Flux app repo

Critical vulnerabilities in JSON Web Token libraries

vs OAuth

OAuth2 token is opaque, JWT can be used

JWT: 2 years later
OAuth 2 VS JSON Web Tokens: How to secure an API - Seedbox Technologies | Les Technologies Seedbox

谈谈 OAuth1,OAuth2 异同 | Litten 的博客
 兔子，胡萝卜与 OAuth 的故事 | Litten 的博客
 What's the difference between OAuth 1.0 and OAuth 2.0? | Packt Hub

Single Sing On (SSO)

Implement Single Sign On Authentication

Lock: Single Sign On & Token Based Authentication - Auth0
auth0/lock - CSS
auth0/lock-passwordless

Authenticate users with Netlify Identity | Netlify Docs
Accessing Your Data With Netlify Functions and React | CSS-Tricks - CSS-Tricks
Netlify Identity - Create a SECURE User Login in 10 Minutes! | SOURCE CODE INCLUDED - YouTube
Next.js & Netlify Identity (auth) Tutorial - YouTube

NTLM

NTLM Authentication Scheme for HTTP
HowTo: Decode and log the username in an NTLM conn... - Pulse Secure Community

does not to mandate SSL/TLS

OAuth1

The OAuth Bible
OAuth | hueniverse 1.0
OAuth | hueniverse
The OAuth 1.0 Guide – hueniverse
RFC 5849 - The OAuth 1.0 Protocol

does not to mandate SSL/TLS

OAuth and OAuth WRAP: defeating the password anti-pattern | Ars Technica DEPRECATED for 2.0
Compromising Twitter’s OAuth security system | Ars Technica
OAuth Authorization Flow - YDN

geek/OAuth

OAuth2

OAuth - Wikiwand
The OAuth Bible
Home | OAuth.XYZ

OAuth.com - OAuth 2.0 Simplified
OAuth 2.0 Simplified - A guide to building OAuth 2.0 servers
OAuth 2.0 Authorization Framework
OAuth2 explained with cute shapes - Back Market Blog

OAuth Access Key is like a safe key made of ice, good only for a short period.
Every time the Refresh Key is used, a new (Access Key, Refresh Key) pair is returned. Any reuse of Refresh Key will yield the corresponding Access Key invalid.

OAuth 2.0 Playground
OAuth 2.0 debugger
grant OAuth Playground

OAuth Community Site 2.0
OAuth / FrontPage

RFC 6749 - The OAuth 2.0 Authorization Framework
RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage
RFC 8252 - OAuth 2.0 for Native Apps
draft-ietf-oauth-security-topics-12 - OAuth 2.0 Security Best Current Practice

An Illustrated Guide to OAuth and OpenID Connect | Okta Developer
What is OAuth really all about - OAuth tutorial - Java Brains - YouTube
OAuth terminologies and flows explained - OAuth tutorial - Java Brains - YouTube
OAuth 2.0 and OpenID Connect (in plain English) - YouTube
An Illustrated Guide to OAuth and OpenID Connect - YouTube
OAuth 2.0: An Overview - YouTube
[Overview of OAuth 2.0 and OpenID Connect - Using OAuth 2.0 and OpenID Connect with Caché - Caché & Ensemble 2018.1](https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?
KEY=GOAUTH_background)

The unreasonable effectiveness of the Julia programming language – Ars Technica

Grant Types

Authorization Code (front channel login and get auth code, pass to back channel, back channel exchange client secret and auth code for access token)
Implicit (not recommended, front channel get access token without back channel, should not have refresh token)
Resource Owner Password Credentials (back channel only, machine to machine)
Client Credentials (back channel only, make legacy app works)
Device Code
Refresh Token

User logins with Identity Provider (IdP), who returns (id_token, refresh_token). id_token is usually short lived JWT with TTL in terms of minutes. refresh_token is an opaque, one-time token that can be used in lieu of credentials to obtain new (id_token, refresh_token) from the IdP. This should be done on client side and refresh_token is not to be shared to app server. refresh_token has TTL of a user session, say 15-20 minutes, renewed upon each acquisition of new tokens.

Which OAuth 2.0 Grant should I use?
OAuth 2.0 serves as the authorization framework, the actual authentication occurs with OpenID Connect via access token (received by app from auth server, sent to resource server)

simov/grant: OAuth Proxy
Istio and OAuth2-Proxy in Kubernetes for microservice authentication

OAuth 2.0 access tokens explained - YouTube bearer token
An Illustrated Guide to OAuth and OpenID Connect - YouTube
Introduction to OAuth 2.0 and OpenID Connect • Philippe De Ryck • GOTO 2018 - YouTube

Egor Homakov: OAuth2: One access_token To Rule Them All
Introducing OAuth 2.0 – hueniverse
Learn OAuth 2.0 - Learning | InterSystems
An Introduction to OAuth 2 | DigitalOcean
What is OAuth | How OAuth 2.0 Works | Teleport

OAuth Tips for the Uninitiated - DEV Community 👩‍💻👨‍💻
Dancing with OAuth: a step by step guide - DEV Community 👩‍💻👨‍💻
OAuth2 for Java Developers: The Basics [Video] - DZone Security

foauth.org: OAuth for one closed due to Trump's policy
foauth

What is OAuth? What security pros need to know | CSO Online
Designing a Secure REST (Web) API without OAuth upload client public key (securely) to server (kind of like passwordless SSH)

React Authentication with Twitter, Google, Facebook and Github
The Complete React Native Guide to User Authentication with the Amplify Framework - DEV Community 👩‍💻👨‍💻

PKCE for OAuth 2.0

dogeared/OZorkAuth

oauthlib · PyPI

lelylan/simple-oauth2: A simple Node.js client library for Oauth2

Episode 376: Justin Richer On API Security with OAuth 2 : Software Engineering Radio
Server pre-register, get API key and secret (configuration secret)
Each mobile app registers at run time (dynamical client registration), gets dynamic client ID and secret individually (run time secret) RFC 7591
Claims are signed by third party and can be revoked
OpenID Connect: using OAuth2 to authorize access of identity info
PKSI client send hashed secret before login

OpenID

OAuth 2.0 is designed for authorization (permissions), for authentication (identity); hacky way to get user profile and info
OpenID Connect is build upon OAuth 2.0 (with openid and profile scope) designed for authentication

OpenID Foundation website
OpenID Connect | OpenID
Final: OpenID Connect Core 1.0 incorporating errata set 1
RFC 8414 - OAuth 2.0 Authorization Server Metadata OAuth Discovery

OpenID Connect Protocol

OpenID Connect debugger
OpenID Connect Playground ebook
An Illustrated Guide to OAuth and OpenID Connect - YouTube

ID Token and Access Token: What Is the Difference?
ID Tokens vs Access Tokens - Do you know the difference?! - YouTube
OAuth 2.0 and OpenID Connect (in plain English) - YouTube

Okta | Identity for the internet
Home | Okta Developer

Digital Identity and Access Management for Workforce and Consumers
Gluu
Gluu Introduction - YouTube
How to build a world-class identity service with Gluu - YouTube

Security token service - Wikiwand

Open Source OAuth 2.0 and OpenID Connect Server - gethydra.sh
ory/hydra: OpenID Certified™ OpenID Connect & OAuth2 Server (OP, OpenID Provider) - cloud native, security-first, open source API security for your infrastructure. Written in Go. SDKs for any language.

greenpau/caddy-auth-portal: Authentication Plugin for Caddy v2 implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication
casbin/caddy-authz: Caddy-authz is a middleware for Caddy that blocks or allows requests based on access control policies.
casbin/casbin: An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

AppAuth
openid/AppAuth-iOS: iOS and macOS SDK for communicating with OAuth 2.0 and OpenID Connect providers.
openid/AppAuth-Android: Android client SDK for communicating with OAuth 2.0 and OpenID Connect providers.
openid/AppAuth-JS: JavaScript client SDK for communicating with OAuth 2.0 and OpenID Connect providers.

OpenID Connect | OpenID
OpenID Connect — Session Management – Ashen De Silva – Medium
OpenID Connect Backchannel Logout – Ashen De Silva – Medium
OpenID Connect Client with NodeJS Express - Relinns Technologies

OpenID | hueniverse

Single Sign-On — WorkOS
Add Single Sign-On (SSO) to a Node app in 8 MINUTES - YouTube

Sliding-sessions

Sliding-sessions are sessions that expire after a period of inactivity.

Issue access token upon user action (API calls).

Libraries

prose-gatekeeper · GitHub
passport
hapi-bell

Secure a Spring Microservices Architecture with Spring Security and OAuth 2.0 | Okta Developer

And much more...

XYZ

Home | OAuth.xyz

JWT

JWT is the spec for how a non-opaque token should be created. This allows token receiver to parse the token and receive meta without database query.
JSON Web Token - Wikiwand

RFC 7515 - JSON Web Signature (JWS)
RFC 7516 - JSON Web Encryption (JWE)
RFC 7517 - JSON Web Key (JWK)
RFC 7518 - JSON Web Algorithms (JWA)
RFC 7519 - JSON Web Token (JWT)
RFC 7520 - JOSE Cookbook

JWT = {header}.{claim}.{signature}

JWT, JWS and JWE for Not So Dummies!
dwyl/learn-json-web-tokens
DjangoCon 2014- JSON Web Tokens - YouTube
JWT - JSON Web Token Crash Course (NodeJS & Postgres) - YouTube
JWT attacks | Web Security Academy

Critical flaw alert! Stop using JSON encryption | InfoWorld
Critical Vulnerability Uncovered in JSON Encryption

JSON Web Tokens with Public Key Signatures - miguelgrinberg.com
How to Secure JWT in a Single-Page Application - DEV Community

JSON Web Token Tutorial: Example using AngularJS & Laravel | Toptal JWT primer, comparison with server based authentication
ttkalec/laravel5-angular-jwt: Simple Laravel 5/Angular app that shows how to use the most basic JWT authentication
Authentication with Node.js, JWTs, and Oracle Database | JavaScript and Oracle
Securing node.js RESTful services with JWT Tokens | Richard Astbury's Blog

Use JWT for role based authorization in Golang | Go - YouTube
Casbin · An authorization library that supports access control models like ACL, RBAC, ABAC for Golang, Java, C/C++, Node.js, Javascript, PHP, Laravel, Python, .NET (C#), Delphi, Rust, Ruby, Swift (Objective-C), Lua (OpenResty), Dart (Flutter) and Elixir | Casbin
Basic Role-Based HTTP Authorization in Go with Casbin - zupzup
Casdoor · An Open Source UI-first Identity Access Management (IAM) / Single-Sign-On (SSO) platform supporting OAuth 2.0, OIDC, SAML and CAS | Casdoor · An Open Source UI-first Identity Access Management (IAM) / Single-Sign-On (SSO) platform supporting OAuth 2.0, OIDC, SAML and CAS

JWT Authentication in React. How to Consume and Use JWT tokens | by Ivan Stoev | Mar, 2022 | Level Up Coding access and refresh token on client

nearform/fast-jwt: Fast JSON Web Token implementation

In the Contrary

Stop using JWT for sessions - joepie91's Ramblings
Stop using JWT for sessions, part 2: Why your solution doesn't work - joepie91's Ramblings
Why JWTs Suck as Session Tokens | Okta Developer

JSON Web Tokens Suck - Randall Degges (DevNet Create 2018) - YouTube

Server

var myHeaders = {
  alg: "HS256", //denotes the algorithm (shorthand alg) used for the  signature is HMAC SHA-256
  typ: "JWT", //denotes the type (shorthand typ) of token this is
};

var myClaims = {
  sub: "tom@stormpath.com",
  name: "Tom Abbott",
  role: "user",
};

var headers = base64URLencode(myHeaders);
var claims = base64URLencode(myClaims);
var payload = header + "." + claims;

var signature = base64URLencode(HMACSHA256(payload, secret));

var encodedJWT = payload + "." + signature;

netlify/gotrue: An SWT based API for managing users and issuing SWT tokens
jawblia/auth: Template for JWT authentication in a MERN app with protected routes

Videos

MNUG 2014.08.13 - Lightning talk: JWT: JSON Web Token - YouTube
Introduction to JWT (JSON Web Token) - Securing apps & services - YouTube
NodeJS Tutorial | APIs Strike Back: The Rise of JSON Web Tokens - YouTube Demo with Express
JSON Web Token Series - YouTube

Stormpath

Use JWT The Right Way! JWT primer, tips for security
Build Secure User Interfaces Using JSON Web Tokens (JWTs)
So what's the issue with JWTs in localStorage, exactly? : webdev
Where to Store your JWTs - Cookies vs HTML5 Web Storage - Stormpath User Identity API JWT primer, tips for storage and CSURF
Conclusion: Store the JWT in HttpOnly; Secure cookie. Add xsrfToken to JWT for CSURF protection.

Scotch

The Anatomy of a JSON Web Token | Scotch
Authenticate a Node.js API with JSON Web Tokens | Scotch

Auth0

Auth0 is the owner of Node.js jsonwebtoken module.

The Complete Guide to React User Authentication with Auth0
Auth0 React SDK Quickstarts: Login
React and Auth0 - YouTube
How to use Auth0 with Node.js and Express | InfoWorld

Using JSON Web Tokens as API Keys
Blacklisting JSON Web Token API Keys
auth0/node-jsonwebtoken
auth0/nginx-jwt
auth0/jwt-as-api-keys

Authdog

Authdog — Identity & Access Management for Developers
Authdog | Documentation

authdog/keylab: Keylab is a Node.js library designed to simplify the creation and validation of JSON Web Tokens, eliminating the need for prior knowledge in cryptography.

JWTenizr

JWTenizr | jwtenizr
Json Web Token Generator - JWTenizr.sh 0.0.3 released : Adam Bien's Weblog

LDAP

Lightweight Directory Access Protocol - Wikiwand

OpenLDAP, Main Page
LDAP Linux HOWTO

What are the differences between LDAP and Active Directory? - Stack Overflow
What are the differences between LDAP and Active Directory authentication? - Stack Overflow

RFC 4511 - Lightweight Directory Access Protocol (LDAP): The Protocol

AD/ADAM vs. LDAP (OpenLDAP and others)
Allow external LDAP access to O365 / AzureAD – Customer Feedback for Microsoft Office 365

Active Directory

Active Directory - Wikiwand
Introduction to Active Directory Infrastructure in Windows Server 2012 - YouTube
Introduction to Active Directory Directory Services Structure in Windows Server 2012 - YouTube

Active Directory Security – Active Directory & Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia…
Active Directory Deep Dive – Free video tutorials
Active Directory 101 - YouTube
Active Directory and virtualization - YouTube
Active Directory and backup - YouTube

Taming Kerberos - Computerphile - YouTube
CertMike Explains Kerberos - YouTube
Kerberos Authentication Explained | A deep dive - YouTube
Learn Active Directory Kerberoasting - YouTube
JohnHammond/active_directory: Notes and resources for the Active Directory YouTube series on https://youtube.com/JohnHammond010

Hacking Kerberos
get hash and crack offline
Mimicatz
BloodHoundAD/BloodHound: Six Degrees of Domain Admin
CrackMapExec, using PSExec
Password Spray
invoke phantom disables Windows Event Logs
DCSync, DCShadow
NTLM hash* (Pass The Hash attack), LM hash
Generate an NTLM Hash - NTLM Password - Online - Browserling Web Developer Tools

enterprise admin, KRBTGT ticket (Kerberoast), skeleton key, password access key, DSRM
domain admin
local admin

/do query domain controller

ipconfig /all
nslookup NAME /ip
net accounts /do
net user USER /do
net localgroup administrators
net localgroup administrators /do
net group HQ_Desktop_admin /do
nltest /dclist:astri.local
nltest /server:ASPDC02 /domain_trusts

Oz/Hawk

Auth to See the Wizard – hueniverse
What's Hawk and how to use it?

hapijs/hawk: HTTP Holder-Of-Key Authentication Scheme
mozilla-services/requests-hawk: Hawk authentication strategy for the requests python library.
kumar303/mohawk: Python library for Hawk HTTP authorization

outmoded/oz: Web Authorization Protocol

Self-sovereign identity/SSI

Blockchain can be used as Public Key Infrastructure (PKI), but not the necessary condition.

Self-sovereign identity - Wikiwand
Self Sovereign Identity & Decentralized Identity - An Unlimited Guide - 101 Blockchains
What is self-sovereign identity? Definition from WhatIs.com

SSI and Digital wallets
Frontiers of Trust

Trust Over IP - Defining a complete architecture for Internet-scale digital trust
Sovrin Governance Framework - Sovrin

Decentralized Identifiers (DIDs) v1.0 rejected by Google, Apple and Mozilla as there are too many (> 150) verification protocols, some requiring blockchain

Find an Ethereum Wallet | ethereum.org

Web Authentication

Authentication Protocols

Sign up

Auth as a Service

Firebase

Netlify

OpenFGA

Multi-factor Authentication (MFA)

TOTP

FIDO

Auth.js

Passport.js

WebAuthn

ACL

Blockchain

SQRL

Server Based

Asymmetric Key

Token Based

Bearer token clients

Questions

vs OAuth

Single Sing On (SSO)

NTLM

OAuth1

OAuth2

OpenID

In the Wild

boo OAuth2

Logout

Refresh token

Sliding-sessions

Libraries

XYZ

JWT

In the Contrary

Server

Videos

Stormpath

Scotch

Auth0

Authdog

JWTenizr

LDAP

Active Directory

Oz/Hawk

Self-sovereign identity/SSI