Auth & Identity
OAuth, JWT, SSO, Zero-Trust — built right the first time.
Anyone who owns the login surface of a production system.
The login surface is where every breach starts. Session hijacks, JWT alg-none, confused-deputy OAuth flows, MFA bypasses, password reset that resets more than intended. If your product has users, this track is the one that keeps the incident report short.
Auth is the most-attacked and least-loved layer in modern SaaS. The track is structured around the specific failure modes that get companies on the front page of HackerNews — and the single-paragraph fixes that prevent them.
- M-001
Defend against the JWT alg:none attack — pin algorithm, validate claims
The JWT library trusts the algorithm from the token header. Attacker sets alg:none → forges any role. Pin RS256 server-side, validate iss/aud/exp, cut token lifetime to 15 min.
⏱️ 10 min⚡ 200 XP🎯 6 goalsLaunch → - M-002
Secure session cookies: HttpOnly, Secure, SameSite, __Host-, short Max-Age
XSS exploit reads document.cookie and exfiltrates the session token. Session cookie is missing HttpOnly, Secure, SameSite. CSRF is also trivially possible. Fix all five.
⏱️ 11 min⚡ 220 XP🎯 6 goalsLaunch → - M-003
OAuth2 PKCE: secure public client authorization flow
Your mobile app uses deprecated implicit flow. Migrate to PKCE: responseType=code, code_verifier, code_challenge (SHA-256).
⏱️ 12 min⚡ 230 XP🎯 5 goalsLaunch →
Concrete outcomes. No lecture notes.
- 01An OAuth 2.1 + PKCE implementation that resists confused-deputy attacks
- 02JWT handling that rejects alg=none, key confusion, and replay
- 03Session management designed for 2026 (cookies vs tokens, sane defaults)
- 04Passkey/WebAuthn rollout that you can actually enable for real users
- 05A SAML + OIDC SSO integration that doesn't silently trust the IdP
- 06Account recovery flows that aren't a backdoor
- 07Anti-automation defences calibrated to not piss off real users
- 08Logout that actually logs out (not the half-broken version most libraries ship)
- ▸Teams owning the login surface of a production SaaS
- ▸Security engineers responding to a penetration test finding on auth
- ▸Startups preparing for SOC 2 / ISO 27001
- ▸B2B products adding SSO + SCIM for enterprise customers
Directly addresses SOC 2 CC6, ISO 27001 A.9 (Access Control), NIS2 Article 21 encryption + authentication, and DORA Chapter II ICT risk-management requirements on identity.
Our pen test flagged 6 auth issues. We ran the Auth & Identity track against a staging environment. Five were covered directly. The sixth we fixed before the next pen test. No auditor tears.
Defender III — Auth & Identity
10 missions + a capstone where you audit a deliberately vulnerable auth implementation and ship a remediation PR.
- ✓W3C Verifiable Credential — Auth & Identity specialisation
- ✓Reference implementations in Node, Go, Python
- ✓Early access to the Auth Forensics tool (decodes + grades real-world auth flows)
- ✓Listing in the public directory (opt-in)
Questions we already got.
Which stack does the track assume?+
Node/Go/Python examples for each mission. Pattern is stack-agnostic; code samples are in the most common languages.
Do you cover custom IAM implementations?+
We show you when NOT to build custom IAM. For the ~5 % of cases that justify it, the track covers the design pitfalls.
Is Passkey / WebAuthn covered?+
Yes — dedicated mission. Includes rollout strategy, fallback flows, and when not to use it.
Weekly Security Report
Critical CVEs, fix guides, and hardening tips — free, every week.