Show HN: Tesseral – Open-Source Auth
(github.com/tesseral-labs)
Tesseral is open source auth infrastructure for business software (i.e., B2B SaaS).
Tesseral is open source auth infrastructure for business software (i.e., B2B SaaS).
Critical Samlify SSO flaw lets attackers log in as admin
(bleepingcomputer.com)
A critical Samlify authentication bypass vulnerability has been discovered that allows attackers to impersonate admin users by injecting unsigned malicious assertions into legitimately signed SAML responses.
A critical Samlify authentication bypass vulnerability has been discovered that allows attackers to impersonate admin users by injecting unsigned malicious assertions into legitimately signed SAML responses.
Launch HN: Better Auth (YC X25) – Authentication Framework for TypeScript
(ycombinator.com)
Hi HN! We’re Bereket and KinfeMichael of Better Auth (https://www.better-auth.com/), a comprehensive authentication framework for TypeScript that lets you implement everything from simple auth flows to enterprise-grade systems directly on your own database, embedded in your backend.
Hi HN! We’re Bereket and KinfeMichael of Better Auth (https://www.better-auth.com/), a comprehensive authentication framework for TypeScript that lets you implement everything from simple auth flows to enterprise-grade systems directly on your own database, embedded in your backend.
The cryptography behind passkeys
(trailofbits.com)
When most people think of cryptography, the first thing they typically think of is encryption: keeping information confidential. But just as important (if not more) is authenticity: ensuring that information is really coming from an authentic source.
When most people think of cryptography, the first thing they typically think of is encryption: keeping information confidential. But just as important (if not more) is authenticity: ensuring that information is really coming from an authentic source.
Ask HN: Should You Include a Certificate in a SAML AuthnRequest?
(ycombinator.com)
When implementing SAML authentication, one question often arises: Should the Service Provider (SP) include its certificate directly in the <AuthnRequest>?
When implementing SAML authentication, one question often arises: Should the Service Provider (SP) include its certificate directly in the <AuthnRequest>?
The OAuth 2.1 Authorization Framework
(ietf.org)
The OAuth 2.1 authorization framework enables an application to obtain limited access to a protected resource, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and an authorization service, or by allowing the application to obtain access on its own behalf.
The OAuth 2.1 authorization framework enables an application to obtain limited access to a protected resource, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and an authorization service, or by allowing the application to obtain access on its own behalf.
Email and password authentication should be a last resort (rant)
(smudge.ai)
Email + password authentication should be a last resort (rant)
Email + password authentication should be a last resort (rant)
Best Practices for User Authentication and Authorization in Web Applications
(securityboulevard.com)
Your authentication system isn't just a door—it's the fortress protecting everything you value. This research paper presents a comprehensive framework for implementing secure authentication and authorization mechanisms in modern web applications. The increasing sophistication of cyber threats necessitates robust security practices for managing user identity and access privileges.
Your authentication system isn't just a door—it's the fortress protecting everything you value. This research paper presents a comprehensive framework for implementing secure authentication and authorization mechanisms in modern web applications. The increasing sophistication of cyber threats necessitates robust security practices for managing user identity and access privileges.
OAuth Explained
(github.com/LukasNiessen)
Let’s say LinkedIn wants to let users import their Google contacts.
Let’s say LinkedIn wants to let users import their Google contacts.
Ask HN: Magic links are bad UX and make people's lives worse. Change my mind
(ycombinator.com)
Click login, get sent an email link that you have to first wait to be delivered (sometimes takes a full minute, sometimes you have to resend the link).<p>Sometimes the link goes to spam, sometimes you have to search for it like a needle in a haystack of other notifications.<p>Sometimes you are not logged into your email on that device, or it's a small screen that makes it a pain.<p>Maybe it's my mother, and she now has to go find where
Click login, get sent an email link that you have to first wait to be delivered (sometimes takes a full minute, sometimes you have to resend the link).<p>Sometimes the link goes to spam, sometimes you have to search for it like a needle in a haystack of other notifications.<p>Sometimes you are not logged into your email on that device, or it's a small screen that makes it a pain.<p>Maybe it's my mother, and she now has to go find where
A Guide to Bearer Tokens: JWT vs. Opaque Tokens
(permit.io)
Bearer tokens play an important role in securing APIs and managing user sessions. Whether you're building a single-page app, a backend-for-frontend API, or a network of microservices, bearer tokens act as the key that grants access to protected resources—without needing to re-authenticate the user on every request.
Bearer tokens play an important role in securing APIs and managing user sessions. Whether you're building a single-page app, a backend-for-frontend API, or a network of microservices, bearer tokens act as the key that grants access to protected resources—without needing to re-authenticate the user on every request.
Behind the 6-digit code: Building HOTP and TOTP from scratch
(dogac.dev)
A while ago, I have started working on authorization and authentication at work. This taught me a lot about how modern authentication systems work. However I have always thought One-Time Password logins are the most mystical ones. A six-digit code that changes every time and can be used to verify your identity. How does the server know the newly generated one, and how is it really secure?
A while ago, I have started working on authorization and authentication at work. This taught me a lot about how modern authentication systems work. However I have always thought One-Time Password logins are the most mystical ones. A six-digit code that changes every time and can be used to verify your identity. How does the server know the newly generated one, and how is it really secure?
Why Login Failures Matter
(fusionauth.io)
When you care about providing great authentication experiences, like us (the few, the proud), there is nothing better than this chart - undeniable proof that our users are successfully logging in.
When you care about providing great authentication experiences, like us (the few, the proud), there is nothing better than this chart - undeniable proof that our users are successfully logging in.
Show HN: An open source OAuth/auth system
(github.com/ValueMelody)
Melody Auth is a user-friendly, robust solution for implementing and hosting your own OAuth and authentication system.
Melody Auth is a user-friendly, robust solution for implementing and hosting your own OAuth and authentication system.
Configure Azure Entra ID as IdP on Keycloak
(ght1pc9kc.fr)
For a new project, I needed to use Keycloak as an Authentication Provider in a Spring Boot WebFlux application. Since the company I work for has a Microsoft Entra ID (formerly Azure Active Directory), the ideal solution was to connect Entra ID as an Identity Provider in Keycloak using OpenID Connect.
For a new project, I needed to use Keycloak as an Authentication Provider in a Spring Boot WebFlux application. Since the company I work for has a Microsoft Entra ID (formerly Azure Active Directory), the ideal solution was to connect Entra ID as an Identity Provider in Keycloak using OpenID Connect.
Sign in as anyone: Bypassing SAML SSO authentication with parser differentials
(github.blog)
Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. Attackers who are in possession of a single valid signature that was created with the key used to validate SAML responses or assertions of the targeted organization can use it to construct SAML assertions themselves and are in turn able to log in as any user.
Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. Attackers who are in possession of a single valid signature that was created with the key used to validate SAML responses or assertions of the targeted organization can use it to construct SAML assertions themselves and are in turn able to log in as any user.
SAMLStorm: Critical Authentication Bypass in XML-crypto and Node.js libraries
(workos.com)
On Tuesday, March 4, 2025, WorkOS received a critical security report from researcher Alexander Tan (ahacker1) detailing a zero-day vulnerability in the widely used xml-crypto and SAML libraries in the Node.js ecosystem. This flaw allows attackers to forge SAML authentication responses, potentially granting unauthorized access to any user account in affected applications—including admin accounts—without any user interaction. If exploited, this vulnerability could enable full account takeovers across organizations relying on SAML-based single sign-on (SSO).
On Tuesday, March 4, 2025, WorkOS received a critical security report from researcher Alexander Tan (ahacker1) detailing a zero-day vulnerability in the widely used xml-crypto and SAML libraries in the Node.js ecosystem. This flaw allows attackers to forge SAML authentication responses, potentially granting unauthorized access to any user account in affected applications—including admin accounts—without any user interaction. If exploited, this vulnerability could enable full account takeovers across organizations relying on SAML-based single sign-on (SSO).
Sign in as anyone: Bypassing SAML SSO authentication with parser differentials
(github.blog)
Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. Attackers who are in possession of a single valid signature that was created with the key used to validate SAML responses or assertions of the targeted organization can use it to construct SAML assertions themselves and are in turn able to log in as any user.
Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. Attackers who are in possession of a single valid signature that was created with the key used to validate SAML responses or assertions of the targeted organization can use it to construct SAML assertions themselves and are in turn able to log in as any user.
Show HN: Torii – a framework agnostic authentication library for Rust
(github.com/cmackenzie1)
Torii is a powerful authentication framework for Rust applications that gives you complete control over your users' data.
Torii is a powerful authentication framework for Rust applications that gives you complete control over your users' data.
A Comprehensive Formal Security Analysis of OAuth 2.0
(arxiv.org)
The OAuth 2.0 protocol is one of the most widely deployed authorization/single sign-on (SSO) protocols and also serves as the foundation for the new SSO standard OpenID Connect.
The OAuth 2.0 protocol is one of the most widely deployed authorization/single sign-on (SSO) protocols and also serves as the foundation for the new SSO standard OpenID Connect.
Google to Ditch SMS Code Authentication for Billions of Users
(forbes.com)
It is certainly no secret that using SMS text messages for security codes used to authenticate your identity is far from ideal.
It is certainly no secret that using SMS text messages for security codes used to authenticate your identity is far from ideal.
OwnCloud Infinite Scale with OpenID Connect Authentication
(helgeklein.com)
This article explains how to set up ownCloud Infinity Scale with OpenID Connect authentication to Authelia or authentik.
This article explains how to set up ownCloud Infinity Scale with OpenID Connect authentication to Authelia or authentik.
The least secure TOTP code possible
(shkspr.mobi)
If you use Multi-Factor Authentication, you'll be well used to scanning in QR codes which allow you to share a secret code with a website. These are known as Time-based One Time Passwords (TOTP0).
If you use Multi-Factor Authentication, you'll be well used to scanning in QR codes which allow you to share a secret code with a website. These are known as Time-based One Time Passwords (TOTP0).
Untangling AI Agent authn/authz
(venturebeat.com)
AI agents are set to change ID authorization: As they integrate behind the scenes, they will need to move seamlessly between different apps on our behalf, and not get continually halted by login screens, lest they become cumbersome.
AI agents are set to change ID authorization: As they integrate behind the scenes, they will need to move seamlessly between different apps on our behalf, and not get continually halted by login screens, lest they become cumbersome.
How you should respond to authentication failures isn't universal
(utoronto.ca)
A discussion broke out in the comments on my entry on how everything should be able to ratelimit authentication failures, and one thing that came up was the standard advice that when authentication fails, the service shouldn't give you any indication of why.
A discussion broke out in the comments on my entry on how everything should be able to ratelimit authentication failures, and one thing that came up was the standard advice that when authentication fails, the service shouldn't give you any indication of why.
Pairwise TOTP Authentication of Humans
(schneier.com)
Here’s an easy system for two humans to remotely authenticate to each other, so they can be sure that neither are digital impersonations.
Here’s an easy system for two humans to remotely authenticate to each other, so they can be sure that neither are digital impersonations.
Show HN: Hanko – Open-Source Auth and User Management for the Passkey Era
(hanko.io)
Quickly integrate Hanko’s embeddable components and APIs to get a secure and modern login for your app. From passwords all the way to passkeys, 2FA, and SSO. Finally an auth solution that scales – without breaking the bank. And it’s open source.
Quickly integrate Hanko’s embeddable components and APIs to get a secure and modern login for your app. From passwords all the way to passkeys, 2FA, and SSO. Finally an auth solution that scales – without breaking the bank. And it’s open source.
Bad Smart Watch Authentication
(sprocketfox.io)
When I originally paired the device I scanned a QR code on the watch. Turns out this probably just had the mac address on it or something because after several hours of getting device info and pulling activity data I realised that I had never performed any authentication step. Resetting the app and repairing also revealed that there's no pairing code. Nothing. The device isn't locked or secured once connected.
When I originally paired the device I scanned a QR code on the watch. Turns out this probably just had the mac address on it or something because after several hours of getting device info and pulling activity data I realised that I had never performed any authentication step. Resetting the app and repairing also revealed that there's no pairing code. Nothing. The device isn't locked or secured once connected.