Logto blog

Discover Logto and explore plenty of resources on authentication, authorization, identity management, open standards (OAuth, OpenID Connect, SAML), and more.

Featured posts

Cover

Changelogs

  • release

Logto product updates

It's time for a new Logto release! This update brings customizable MFA prompt policies, relaxed redirect URI restrictions for better real-world application support, and new social and SMS connectors contributed by our community.

Yijun
Yijun
Developer
Logto product updates

Tech

  • authentication
  • authorization
  • oauth
  • openid-connect
  • oidc
  • application
  • api

Secure cloud-based applications with OAuth 2.0 and OpenID Connect

Secure cloud-based applications with OAuth 2.0 and OpenID Connect

Tutorial

    Bring your own sign-in UI to Logto Cloud

    Bring your own sign-in UI to Logto Cloud

    All posts

    • Cover

      Tech

      • 401
      • 403
      • http status code
      • authorization
      • authentication

      HTTP status code 401 or 403? How authentication and authorization errors differ

      401 Unauthorized indicates the client is not authenticated, requiring valid credentials. 403 Forbidden signifies the client is authenticated but lacks the necessary permissions to access the resource.

      HTTP status code 401 or 403? How authentication and authorization errors differ
    • Cover

      Tech

      • SSO
      • IdP
      • SAML
      • Enterprise SSO
      • OIDC

      SSO vs SAML, explained for everyone

      SSO, SAML are often used vaguely and can be interpreted in different ways. In this article, we’ll clarify these concepts, explain how they relate to each other, and provide real examples to make them easier to understand.

      SSO vs SAML, explained for everyone
    • Cover

      Tech

      • OTP
      • TOTP
      • MFA
      • HOTP
      • one-time password

      What is one-time password (OTP)?

      What is OTP? What is the difference between OTP and TOTP? How does OTP work? This article breaks down the basic concepts of OTP and why it is more preferred than static passwords.

      What is one-time password (OTP)?
    • Cover

      Tech

      • security
      • encryption
      • jws
      • asymmetric
      • ec
      • rsa
      • public key
      • private key
      • token
      • signing jwt

      JWT signing algorithms overview

      Explore JSON Web Token (JWT) signing algorithms, covering two of the most popular asymmetric encryption approaches: RSA and EC. Learn about the pros and cons of each algorithm and how Logto uses them to secure your JWT tokens.

      JWT signing algorithms overview
    • Cover

      Tech

      • jwt
      • authentication
      • session
      • token
      • revoke jwt

      JWT vs Session authentication

      Learn the differences between session-based and JWT authentication. Explore trade-offs, advantages, and use cases to choose the proper authentication scheme for your apps.

      JWT vs Session authentication
    • Cover

      Tech

      • oidc
      • openid connect
      • oauth
      • authentication
      • authorization

      What is OIDC: From why we need it to how it works

      Learn what OIDC is, why it's needed, and how it works. Discover how OIDC extends OAuth 2.0 for authentication, understand its core components including ID Tokens, scopes and userinfo endpoint.

      What is OIDC: From why we need it to how it works
    • Cover

      Tech

      • OIDC
      • SAML
      • SSO
      • authentication
      • authorization

      SAML vs OIDC

      SAML and OIDC are the two most popular authentication protocols used in the SSO industry. This article will compare SAML and OIDC in terms of their architecture, and use cases.

      SAML vs OIDC
    • Cover

      Tech

      • mfa
      • 2fa
      • totp
      • nodejs
      • security
      • authentication
      • authenticator app
      • otplib

      How to implement two-factor authentication (2FA) in Node.js with authenticator apps

      Learn how to implement two-factor authentication (2FA) in Node.js using authenticator apps, TOTP, and the otplib library. This step-by-step guide covers everything from generating QR codes to verifying authentication codes.

      How to implement two-factor authentication (2FA) in Node.js with authenticator apps
    • Cover

      Tech

      • client assertion
      • client assertion type
      • generate client assertion
      • oidc
      • oauth

      What is client assertion in OAuth 2.0 client authentication?

      Introduces what client assertion is and provides a detailed guide on how to generate a client assertion in OAuth 2.0. It also briefly compares client assertion with the traditional client ID and client secret method, offering insights on how to choose the most suitable authentication approach.

      What is client assertion in OAuth 2.0 client authentication?
    • Cover

      Tech

      • saas
      • multi-tenancy
      • postgres
      • row-level security
      • rls
      • trigger function
      • multi-tenant architecture
      • single-tenant architecture

      Multi-tenancy implementation with PostgreSQL: Learn through a simple real-world example

      Learn how to implement multi-tenant architecture with PostgreSQL Row-Level Security (RLS) and database roles through a real-world example for secure data isolation between tenants.

      Multi-tenancy implementation with PostgreSQL: Learn through a simple real-world example
    • Cover

      Tech

      • authz
      • authn
      • concept

      What is AuthZ (Authorization)?

      Explore the definition of AuthZ, AuthN vs AuthZ, how the AuthZ works, and authorization best practices.

      What is AuthZ (Authorization)?
    • Cover

      Tech

      • iam
      • oauth
      • openid-connect
      • saml
      • sso
      • jwt

      Understand IAM, OAuth, OpenID Connect, SAML, SSO, and JWT in one article

      The world of identity and access management (IAM) can feel overwhelming and confusing. But don’t worry - this article will break down the basics of them to help you see the bigger picture and navigate this complex field with confidence.

      Understand IAM, OAuth, OpenID Connect, SAML, SSO, and JWT in one article
    • Cover

      Tech

      • cookie
      • nextjs
      • serverless

      How to fix cookie size exceeded error by splitting cookies

      A solution for cookie size exceeded error: split the cookie into multiple smaller cookies and reconstruct them on the server side. This solution works especially well for serverless platforms without requiring additional infrastructure.

      How to fix cookie size exceeded error by splitting cookies
    • Cover

      Tech

      • OIDC
      • SSO
      • authentication

      Implementing OIDC logout and session management: A complete guide

      Explore OIDC authentication and session management in depth. Learn how to implement OIDC RP-initiated, IdP-initiated, and back-channel logout for secure session handling.

      Implementing OIDC logout and session management: A complete guide
    • Cover

      Tech

      • passwordless
      • one-time password
      • otp
      • time-based otp
      • hash-based otp

      How does one-time-password (OTP) work?

      In this article, we will introduced two different one-time password methods: email/phone + verification code and dynamic code.

      How does one-time-password (OTP) work?
    • Cover

      Tech

      • authentication
      • authorization
      • oauth
      • openid-connect
      • oidc
      • application
      • api

      Secure cloud-based applications with OAuth 2.0 and OpenID Connect

      A complete guide for securing your cloud applications with OAuth 2.0 and OpenID Connect and how to offer a great user experience with authentication and authorization.

      Secure cloud-based applications with OAuth 2.0 and OpenID Connect
    • Cover

      Tech

      • SSO
      • SAML
      • IdP-initiated SAML
      • SP-initiated SAML
      • OIDC

      IdP-initiated SSO vs SP-initiated SSO

      Single sign-on (SSO) can be initiated by the service provider (SP) or the identity provider (IdP). What is the difference between IdP-initiated SSO and SP-initiated SSO? What are the risks of SP-initiated SSO?

      IdP-initiated SSO vs SP-initiated SSO
    • Cover

      Tech

      • csrf attack
      • web security
      • cross-site request forgery
      • cookie security
      • same-origin policy
      • csrf prevention
      • SameSite

      Understanding CSRF in depth

      Provides an in-depth exploration of Cross-Site Request Forgery (CSRF) attacks, explaining their mechanics, demonstrating examples, and detailing various prevention methods to enhance web application security.

      Understanding CSRF in depth
    • Cover

      Tech

      • XML
      • HTML
      • SAML
      • data transfer

      What is XML?

      XML is a versatile markup language for structuring and transferring data. It features customizable tags, hierarchical structure, and schema definitions. Unlike HTML, XML focuses on data representation rather than display. It's widely used in various applications, including SSO configurations like Logto's SAML implementation.

      What is XML?
    • Cover

      Tech

      • oidc
      • oauth
      • authentication
      • authorization
      • jwt

      The complete guide to integrating an OIDC server into your project

      Learn the best practices of integrating an OIDC (OpenID Connect) server into your project and understand how components interact with each other on the stage.

      The complete guide to integrating an OIDC server into your project