OpenID: Modern Identity for Developers and Architects — A 22-Part Blog Series

This post introduces a chapter-by-chapter blog series based on my book OpenID: Modern Identity for Developers and Architects. Over the next 22 days, one post per chapter will walk through the core ideas of the book — enough to change how you think about identity, while leaving the detailed implementation material in the book itself.

Why I Wrote This Book

Identity is the one system every application depends on, and the one most teams get wrong in ways they only discover after shipping. Passwords were never the real problem; the real problem is that authentication (who is this?) and authorization (what can they do?) are different systems with different failure modes, and the industry spent a decade conflating them into the same protocol.

This book is my attempt to organize everything I've learned about modern identity into a single coherent path: from the foundations of OpenID Connect through token engineering, SPA and mobile patterns, enterprise SSO, threat modeling, financial-grade security, passwordless, decentralized credentials, and — at the frontier — identity for AI agents.

Who This Series Is For

Developers who have wired up "Sign in with Google" and suspect they're missing something. Architects who need to choose between SAML, OAuth 2.0, and OpenID Connect for a new system. Security engineers who've inherited an identity stack and want a mental model for auditing it. CTOs who need to know enough to make the build-vs-buy call honestly. The series won't teach you every line of code; it will teach you the mental models that make the code make sense.

Part I — Foundations of Digital Identity

The opening three chapters establish why identity is fundamentally hard, how the industry got to OpenID Connect, and the vocabulary you'll need to read the rest of the book.

• Chapter 1 — Why Identity Is Hard — Identity is a trust problem first and a technology problem second. The password era's mental model is still contaminating modern architectures, and authentication and authorization are different systems that teams keep treating as one.
• Chapter 2 — From OpenID to OpenID Connect — How the original OpenID, SAML, and OAuth 2.0 each failed to carry the modern web, and why OIDC became the standard that quietly took over the internet.
• Chapter 3 — Core Concepts — The IdP / RP / user triangle, claims, the three OIDC token types, consent and scopes, sessions vs. tokens, and the boundary of responsibility.

Part II — OpenID Connect Explained

Three chapters on the wire-level mechanics: the flows, the tokens, and the discovery machinery that lets everything interoperate.

• Chapter 4 — Protocol Overview and Flows — Authorization Code + PKCE, Client Credentials, CIBA and Device Flow, and why Implicit and Hybrid are deprecated.
• Chapter 5 — Tokens in Depth — ID Tokens, Access Tokens, Refresh Tokens, JWT structure (JWS and JWE), signature validation, and token binding via DPoP and mTLS.
• Chapter 6 — Discovery and Metadata — .well-known/openid-configuration, provider metadata, JWKS, and Dynamic Client Registration.

Part III — Practical Implementation

Hands-on patterns for the three dominant client types on the modern web.

• Chapter 7 — Your First OpenID Application — A minimal, correct login end to end: state and nonce, exact redirect matching, sessions from tokens, and the three flavors of logout.
• Chapter 8 — Securing Backend APIs — Bearer tokens done right, scope design for least privilege, token introspection, and service-to-service auth.
• Chapter 9 — SPA and Mobile Patterns — Auth in hostile environments: PKCE, the BFF pattern, native app patterns, and refresh token rotation with reuse detection.

Part IV — Enterprise Identity Architecture

Identity at organizational scale, where the problem shifts from "how do users log in" to "how do we run identity as infrastructure."

• Chapter 10 — Single Sign-On at Scale — Corporate IdPs, the CIAM vendor ecosystem, multi-tenant design, account linking, and external user access.
• Chapter 11 — MFA and Conditional Access — MFA factors, risk-based authentication, step-up flows, and using acr/amr claims deliberately.
• Chapter 12 — User Lifecycle Management — JIT and bulk provisioning, SCIM, the de-provisioning problem, role mapping, and identity architecture for multi-tenant SaaS.

Part V — Security Engineering

Four chapters on thinking like the attacker and then engineering the defenses.

• Chapter 13 — Threat Modeling OpenID Systems — Token theft, replay attacks, CSRF on the state parameter, redirect abuse, and mix-up attacks.
• Chapter 14 — Hardening Your Identity Stack — Exact redirect matching, audience validation, token lifetime tuning, and refresh token binding, rotation, and revocation.
• Chapter 15 — FAPI and High-Stakes Security — Financial-grade API profiles, PAR, JAR, and the migration from FAPI 1.0 Advanced to FAPI 2.0.
• Chapter 16 — Zero Trust Identity — Identity as the perimeter, continuous verification via CAEP, and device trust feeding into authorization decisions.

Part VI — Advanced Topics

Federation, claim design, and the operational layer that keeps identity systems running.

• Chapter 17 — Federation Between Organizations — B2B identity, partner federation with metadata and claim mapping, and trust chains.
• Chapter 18 — Claims Design and Privacy — Custom claims, attribute mapping, and privacy by design (minimization, selective disclosure, pairwise identifiers, GDPR).
• Chapter 19 — Observability and Operations — Structured authentication logging, distributed tracing, and immutable audit trails.

Part VII — The Future of Identity

Three chapters on where identity is heading: passwordless, decentralized, and — most importantly — identity for AI agents.

• Chapter 20 — Passwordless Authentication — Passkeys, WebAuthn, and the FIDO2 ecosystem.
• Chapter 21 — Decentralized Identity — DIDs, Verifiable Credentials, and OpenID for Verifiable Credentials (OID4VC).
• Chapter 22 — Identity in AI Systems — LLM authentication, the Model Context Protocol, DCR for ephemeral agents, and trust in autonomous services.

The Thesis of the Book, in One Sentence

Identity failures rarely happen because someone broke the crypto. They happen because someone misplaced trust.

Everything in these 22 chapters is an argument for designing identity systems with that sentence in mind — and for giving yourself and your team the mental models to see trust decisions clearly before they become incidents.

The series begins tomorrow with Chapter 1 — Why Identity Is Hard. Follow along one post at a time, or — if you'd rather have the whole thing at once — grab the book below.