Logto blog

Discover Logto and explore plenty of resources on authentication, authorization, identity management, open standards (OAuth, OpenID Connect, SAML), and more.

Featured posts

Cover

Changelogs

  • release

Logto product updates

It's time for a new Logto release! This month, we're introducing the new Account API for direct user management, Microsoft EntraID SSO connector enhancements and improved sign-in experience features.

Yijun
Yijun
Developer
Logto product updates

Tech

  • authentication
  • authorization
  • oauth
  • openid-connect
  • oidc
  • application
  • api

Secure cloud-based applications with OAuth 2.0 and OpenID Connect

Secure cloud-based applications with OAuth 2.0 and OpenID Connect

Tutorial

  • custom-ui
  • bring-your-own-ui
  • custom-sign-in
  • custom-auth-flow

Bring your own sign-in UI to Logto Cloud

Bring your own sign-in UI to Logto Cloud

All posts

  • Cover

    Tech

    • jwt
    • authentication
    • session
    • token
    • revoke jwt

    JWT vs Session authentication

    Learn the differences between session-based and JWT authentication. Explore trade-offs, advantages, and use cases to choose the proper authentication scheme for your apps.

    JWT vs Session authentication
  • Cover

    Tech

    • oidc
    • openid connect
    • oauth
    • authentication
    • authorization

    What is OIDC: From why we need it to how it works

    Learn what OIDC is, why it's needed, and how it works. Discover how OIDC extends OAuth 2.0 for authentication, understand its core components including ID Tokens, scopes and userinfo endpoint.

    What is OIDC: From why we need it to how it works
  • Cover

    Tech

    • OIDC
    • SAML
    • SSO
    • authentication
    • authorization

    SAML vs OIDC

    SAML and OIDC are the two most popular authentication protocols used in the SSO industry. This article will compare SAML and OIDC in terms of their architecture, and use cases.

    SAML vs OIDC
  • Cover

    Tech

    • mfa
    • 2fa
    • totp
    • nodejs
    • security
    • authentication
    • authenticator app
    • otplib

    How to implement two-factor authentication (2FA) in Node.js with authenticator apps

    Learn how to implement two-factor authentication (2FA) in Node.js using authenticator apps, TOTP, and the otplib library. This step-by-step guide covers everything from generating QR codes to verifying authentication codes.

    How to implement two-factor authentication (2FA) in Node.js with authenticator apps
  • Cover

    Tech

    • client assertion
    • client assertion type
    • generate client assertion
    • oidc
    • oauth

    What is client assertion in OAuth 2.0 client authentication?

    Introduces what client assertion is and provides a detailed guide on how to generate a client assertion in OAuth 2.0. It also briefly compares client assertion with the traditional client ID and client secret method, offering insights on how to choose the most suitable authentication approach.

    What is client assertion in OAuth 2.0 client authentication?
  • Cover

    Tech

    • saas
    • multi-tenancy
    • postgres
    • row-level security
    • rls
    • trigger function
    • multi-tenant architecture
    • single-tenant architecture

    Multi-tenancy implementation with PostgreSQL: Learn through a simple real-world example

    Learn how to implement multi-tenant architecture with PostgreSQL Row-Level Security (RLS) and database roles through a real-world example for secure data isolation between tenants.

    Multi-tenancy implementation with PostgreSQL: Learn through a simple real-world example
  • Cover

    Tech

    • authz
    • authn
    • concept

    What is AuthZ (Authorization)?

    Explore the definition of AuthZ, AuthN vs AuthZ, how the AuthZ works, and authorization best practices.

    What is AuthZ (Authorization)?
  • Cover

    Tech

    • iam
    • oauth
    • openid-connect
    • saml
    • sso
    • jwt

    Understand IAM, OAuth, OpenID Connect, SAML, SSO, and JWT in one article

    The world of identity and access management (IAM) can feel overwhelming and confusing. But don’t worry - this article will break down the basics of them to help you see the bigger picture and navigate this complex field with confidence.

    Understand IAM, OAuth, OpenID Connect, SAML, SSO, and JWT in one article
  • Cover

    Tech

    • cookie
    • nextjs
    • serverless

    How to fix cookie size exceeded error by splitting cookies

    A solution for cookie size exceeded error: split the cookie into multiple smaller cookies and reconstruct them on the server side. This solution works especially well for serverless platforms without requiring additional infrastructure.

    How to fix cookie size exceeded error by splitting cookies
  • Cover

    Tech

    • OIDC
    • SSO
    • authentication

    OIDC session management

    This article explains how OIDC sessions and user authentication status are managed in the context of interactions between the IdP and SP.

    OIDC session management
  • Cover

    Tech

    • passwordless
    • one-time password
    • otp
    • time-based otp
    • hash-based otp

    How does one-time-password (OTP) work?

    In this article, we will introduced two different one-time password methods: email/phone + verification code and dynamic code.

    How does one-time-password (OTP) work?
  • Cover

    Tech

    • authentication
    • authorization
    • oauth
    • openid-connect
    • oidc
    • application
    • api

    Secure cloud-based applications with OAuth 2.0 and OpenID Connect

    A complete guide for securing your cloud applications with OAuth 2.0 and OpenID Connect and how to offer a great user experience with authentication and authorization.

    Secure cloud-based applications with OAuth 2.0 and OpenID Connect
  • Cover

    Tech

    • SSO
    • SAML
    • IdP-initiated SAML
    • SP-initiated SAML
    • OIDC

    IdP-initiated SSO vs SP-initiated SSO

    Single sign-on (SSO) can be initiated by the service provider (SP) or the identity provider (IdP). What is the difference between IdP-initiated SSO and SP-initiated SSO? What are the risks of SP-initiated SSO?

    IdP-initiated SSO vs SP-initiated SSO
  • Cover

    Tech

    • csrf attack
    • web security
    • cross-site request forgery
    • cookie security
    • same-origin policy
    • csrf prevention
    • SameSite

    Understanding CSRF in depth

    Provides an in-depth exploration of Cross-Site Request Forgery (CSRF) attacks, explaining their mechanics, demonstrating examples, and detailing various prevention methods to enhance web application security.

    Understanding CSRF in depth
  • Cover

    Tech

    • XML
    • HTML
    • SAML
    • data transfer

    What is XML?

    XML is a versatile markup language for structuring and transferring data. It features customizable tags, hierarchical structure, and schema definitions. Unlike HTML, XML focuses on data representation rather than display. It's widely used in various applications, including SSO configurations like Logto's SAML implementation.

    What is XML?
  • Cover

    Tech

    • SAML
    • SSO
    • authentication

    SAML security cheat sheet

    A quick reference guide to the Security Assertion Markup Language (SAML) and its security features. Understand key terms, implementation tips, and best practices for securing SAML-based authentication and authorization in enterprise environments.

    SAML security cheat sheet
  • Cover

    Tech

    • oidc
    • oauth
    • authentication
    • authorization
    • jwt

    The complete guide to integrating an OIDC server into your project

    Learn the best practices of integrating an OIDC (OpenID Connect) server into your project and understand how components interact with each other on the stage.

    The complete guide to integrating an OIDC server into your project
  • Cover

    Tech

    • chatgpt
    • ai
    • prompt
    • i18n

    Long-context JSON translation with ChatGPT

    Learn how to use the latest ChatGPT model and JSON mode to translate a JSON object with long context and stream the output back to JSON.

    Long-context JSON translation with ChatGPT
  • Cover

    Tech

    • oauth 2.0
    • token introspection
    • access token
    • refresh token
    • opaque token

    OAuth 2.0 token introspection

    This article explores OAuth 2.0 token introspection, a method that allows a protected resource to query the authorization server for token metadata, determining whether an access or refresh token is valid.

    OAuth 2.0 token introspection
  • Cover

    Tech

    • remove if-else
    • code optimization
    • clean code
    • interface-oriented programming
    • conditional logic

    3 powerful coding techniques to remove messy conditionals

    Introduces three powerful coding techniques to optimize and simplify complex conditional structures, improving code quality and maintainability.

    3 powerful coding techniques to remove messy conditionals