Who is this user, and what are they allowed to do? The moment you hand that question to an identity provider, you stop writing password code and start writing protocol code — OAuth 2.0, OpenID Connect, tokens, federation. The mistakes here are rarely cryptographic; they’re about which token means what, and trusting an assertion you never validated.

Federation & login flows

Principles & traps