Learn the modern identity stack by building it. Nine interactive CLI simulations — step through each protocol as the relying party, making security decisions and triggering failure modes.
Identity specs are fragmented across dozens of RFCs. Tutorials teach the happy path — they don't show what breaks when you skip audience validation, accept an unsigned token, or cache a revoked key. Reading specs tells you what to implement; simulation lets you trigger the failure modes and see why each check exists.
The modern identity stack has five layers. Each layer enforces a distinct security property, and each walkthrough demonstrates one or more:
┌─────────────────────────────────────────────┐
│ 5. Enforcement — CAEP, Shared Signals │ Real-time revocation
├─────────────────────────────────────────────┤
│ 4. Lifecycle — SCIM provisioning │ Timely deprovisioning
├─────────────────────────────────────────────┤
│ 3. Binding — DPoP, sender constraints │ Replay prevention
├─────────────────────────────────────────────┤
│ 2. Grant — OIDC, OAuth2, FAPI 2.0, JWKS │ Scoped authority
├─────────────────────────────────────────────┤
│ 1. Presence — WebAuthn, passkeys, FIDO2 │ Phishing resistance
└─────────────────────────────────────────────┘
Each invariant is demonstrated by a specific walkthrough that lets you trigger the violation and observe the consequence.
| Invariant | Demonstrated by | Mechanism |
|---|---|---|
| Authority must not exceed granted scope | 04-oauth2-par | PAR prevents scope tampering; audience validation prevents confused deputy |
| Binding must constrain replay | 02-sender-constraint | DPoP proof binds token to method, URL, and key |
| Presence must be cryptographically verified | 03-webauthn | Origin binding in clientDataJSON prevents phishing |
| Key rotation must maintain integrity | 06-jwks-rotation | Overlapping keys during rotation; kid-based selection |
| Lifecycle events must cascade | 07-scim | DELETE triggers disable → revoke → SET event → downstream kill |
| Revocation must happen in real time | 08-caep | SETs close the JWT revocation gap from minutes to milliseconds |
| Workloads must authenticate without static secrets | 09-workload-identity | Platform-attested OIDC tokens with auto-rotation |
| # | Experiment | Layer |
|---|---|---|
| 1 | OIDC Tokens — JWT verification, audience validation, confused deputy | Grant |
| 2 | Sender Constraint — DPoP, DBSC, bearer vs bound tokens | Binding |
| 3 | WebAuthn — Registration and authentication ceremonies | Presence |
| 4 | OAuth2 + PAR — Authorization code, PKCE, pushed authorization | Grant |
| 5 | Passkeys — Discoverable credentials, backup flags, synced vs device-bound | Presence |
| 6 | JWKS Rotation — Key lifecycle, cache semantics, kid selection | Grant |
| 7 | SCIM — User provisioning, deprovisioning, DELETE cascade | Lifecycle |
| 8 | CAEP — Security Event Tokens, real-time revocation | Enforcement |
| 9 | Workload Identity — Platform-attested tokens, token exchange | Cross-cutting |
CLI simulation vs full stack realism. These walkthroughs simulate protocol flows without a browser, network, or external services. The cost: doesn't exercise real HTTP flows or browser behavior. The benefit: isolates the protocol decisions from infrastructure noise — you can focus on why each check exists, not how to configure nginx.
git clone https://github.com/kphutt/identity-lab.git
cd identity-lab/walkthroughs/experiments/01-oidc-tokens
npm install
node run.jsStep through with ENTER. Explore failure modes and attack scenarios at each exploration point. Use node run.js --no-pause to dump all output at once.
- Node.js 18+
- Nothing else. No browser, no external services, no credentials.
| Spec | What it covers |
|---|---|
| WebAuthn Level 3 | Passkey registration and authentication ceremonies |
| RFC 6749 | OAuth 2.0 Authorization Framework |
| RFC 7519 | JSON Web Token (JWT) |
| RFC 9449 | DPoP — Demonstrating Proof of Possession |
| RFC 7644 | SCIM Protocol |
| OpenID Connect Core | OIDC ID Tokens, claims, flows |
| FAPI 2.0 Security Profile | PAR, sender-constrained tokens, strict security |
MIT