Auth Provider Catalog — OAuth, OIDC, SAML, Identity Management

This Tier 3 family-index note is the canonical map of the identity-and-access landscape: the standards (OAuth 2.0, OIDC, SAML, SCIM, WebAuthn, FIDO2, JWT, mTLS), the cloud-native and enterprise IdPs (Auth0, Okta, Entra ID, Ping, ForgeRock, SailPoint), the developer-focused B2C and B2B SaaS players (Clerk, WorkOS, Stytch, Supabase Auth, Firebase Auth, Cloudflare Access), the authorization layer that sits on top (RBAC / ABAC / ReBAC, OPA, Cedar, SpiceDB, OpenFGA), and the security-incident history that shaped current defaults.

Protocols and standards

OAuth 2.0

• RFC 6749 (October 2012, Dick Hardt ed.) — the OAuth 2.0 authorization framework. Not authentication on its own; it’s a delegation framework where a resource owner grants a client limited access to a resource server via an authorization server issuing access tokens.
• Token types: access token (short-lived, opaque or JWT), refresh token (long-lived, used to mint new access tokens), ID token (OIDC-specific JWT carrying identity claims).
• Grant types (flows):
  • Authorization Code + PKCE (RFC 7636 + RFC 8252) — the recommended default for both web and native apps. PKCE (Proof Key for Code Exchange) protects against authorization-code interception.
  • Client Credentials — service-to-service (machine identity), no user.
  • Device Code (RFC 8628) — for input-constrained devices (TVs, CLI tools).
  • Refresh Token — exchange a refresh token for a new access token without user interaction.
  • Implicit — deprecated; OAuth 2.1 (in draft, Aaron Parecki et al.) removes it formally.
  • Resource Owner Password Credentials (ROPC / password grant) — deprecated; only for legacy migration.
• Newer extensions worth knowing:
  • RFC 9126 PAR (Pushed Authorization Requests) — pushes auth-request parameters server-side to avoid leaking them via the front channel.
  • RFC 9449 DPoP (Demonstrating Proof-of-Possession) — sender-constrained tokens; binds an access token to a key the client holds.
  • RFC 9396 RAR (Rich Authorization Requests) — fine-grained authorization details (e.g. open-banking-style “transfer up to $500 from account X”).
• OAuth 2.1 — consolidation draft that bakes PKCE in by default, removes Implicit + ROPC, and tightens redirect URI rules.

OpenID Connect (OIDC)

• Identity layer on top of OAuth 2.0; published Feb 2014 by the OpenID Foundation.
• The ID Token is a JWT carrying identity claims (sub, iss, aud, exp, name, email, etc.); the access token is still OAuth’s.
• Userinfo endpoint returns claims about the authenticated user.
• Discovery via /.well-known/openid-configuration JSON document advertising endpoints + supported algorithms + signing keys.
• OIDC Federation (2024 spec progress) — multi-IdP trust chains for academic + government deployments.
• OIDC4VC / SIOPv2 / OIDC4VP — verifiable-credentials extensions; SIOPv2 (Self-Issued OpenID Provider v2) lets a wallet act as an IdP.

SAML 2.0

• OASIS standard ratified March 2005; XML-based.
• The default protocol for enterprise SSO: Okta, Entra ID, Ping, OneLogin, and most workforce IdPs still default to SAML for legacy B2B SaaS integrations.
• Two initiation flows: SP-initiated (user starts at the SaaS, gets redirected to IdP) vs IdP-initiated (user starts at the IdP portal, clicks app tile).
• Bindings: HTTP POST (assertion in a POST form), HTTP Redirect (smaller assertions in a 302 query string), Artifact (assertion fetched via back-channel).
• Security pitfalls: XML signature wrapping attacks, replay, audience-restriction mismatch. Modern libraries (python3-saml, ruby-saml fixed 2024, saml2-js) have largely closed these but vintage stacks remain risky.

SCIM 2.0

• RFC 7644 (Sept 2015) — System for Cross-domain Identity Management; REST/JSON over HTTPS.
• Standardizes user + group provisioning + deprovisioning between IdP and SaaS. Replacing the older custom-API approach to user lifecycle (“just-in-time” provisioning via SAML attributes was the prior workaround).
• Most major B2B SaaS now expose SCIM endpoints; WorkOS and Okta market SCIM-as-a-service heavily.

WebAuthn / FIDO2

• W3C Recommendation (Mar 2019); developed jointly with the FIDO Alliance.
• Browser-side API for public-key authentication. The companion CTAP2 spec is the protocol between the browser/OS and an external authenticator (USB / NFC / BLE).
• Passkeys = WebAuthn credentials that sync across devices via cloud (iCloud Keychain, Google Password Manager, 1Password, Bitwarden, Dashlane). The 2022–2023 mainstreaming of passkeys by Apple (iOS 16 Sept 2022), Google (Chrome / Android May 2023), and Microsoft (Windows 11 May 2023) is the single biggest passwordless adoption push to date.
• Platform authenticators — built into the device (Touch ID, Face ID, Windows Hello biometric, Android fingerprint).
• Roaming / hardware authenticators — YubiKey (Yubico), Google Titan, Feitian, SoloKeys, GoTrust, OnlyKey.

MFA second factors

• TOTP — RFC 6238 (May 2011); time-based one-time passwords; standard implementation in Google Authenticator (2010), Microsoft Authenticator, Authy (Twilio, since 2022 named “Authy by Twilio” — sunset for new accounts Aug 2024), 1Password’s built-in OTP, Bitwarden Authenticator (2024), Ente Auth (open source), 2FAS.
• HOTP — RFC 4226 (Dec 2005); counter-based; mostly used by hardware tokens.
• SMS OTP — formally deprecated by NIST SP 800-63B (June 2017 update) for federal authenticator-assurance level 2+; remains widely used for B2C account recovery despite SIM-swap attacks.
• Push notifications — Duo Push, Okta Verify, Microsoft Authenticator push, Auth0 Guardian. Vulnerable to push-bombing / MFA-fatigue (the attack vector in the Lapsus$ Microsoft breach 2022).
• Hardware FIDO2 keys — YubiKey 5 NFC / Series 5 / 5C NFC / Bio, Google Titan, Feitian K9 / K40. The highest assurance commercial second factor; immune to phishing because the origin is bound by the protocol.

JWT, JWS, JWE, JWK

• RFC 7519 (May 2015) — JSON Web Token, a compact claims representation. Used as the carrier format for OIDC ID tokens and most modern access tokens.
• JWS (RFC 7515) — signing format (HMAC, RSA, ECDSA, EdDSA).
• JWE (RFC 7516) — encryption.
• JWK (RFC 7517) — JSON Web Key format; jwks_uri endpoint publishes public keys for signature verification.
• Common pitfalls:
  • alg: none confusion — old libraries accepted “none” as a signature alg, letting attackers forge tokens. Fixed in all major libs but worth checking.
  • RS256 vs HS256 confusion — an HS256 JWT signed with what’s actually the RSA public key still validates if the library trusts client-provided alg. The CVE catalog has many of these.
  • No built-in revocation — JWTs are stateless; if you need to revoke before expiry you need an out-of-band block-list or short token lifetimes + refresh-token rotation.
  • Token bloat — JWTs with many claims can balloon to 4+ KB; affects header limits in some proxies.

mTLS

• Mutual TLS; both sides present X.509 certificates. The de facto pattern for service-to-service auth in zero-trust networks; Istio + Linkerd + Consul Connect mesh-issue + rotate certificates automatically.
• For external clients, mTLS still appears in financial / open-banking APIs (PSD2 / FAPI in EU).

PASETO

• Platform-Agnostic Security Tokens; designed by Scott Arciszewski (2018) as a more-opinionated JWT alternative.
• Versioned protocols (v1–v4); v3 uses NIST P-384 + AES-256-GCM, v4 uses Ed25519 + XChaCha20-Poly1305.
• Eliminates algorithm confusion (the alg is baked into the version, not in a header field).
• Niche but worth knowing — used by some security-conscious teams that don’t trust the JWT footgun surface.

SPIFFE / SPIRE

• SPIFFE = Secure Production Identity Framework For Everyone — CNCF graduated 2022; specifies a SPIFFE ID (spiffe://trust-domain/workload) carried in an SVID (SPIFFE Verifiable Identity Document, either X.509 or JWT).
• SPIRE = the reference implementation. Issues short-lived identities to workloads based on attestation (node + workload attestors).
• The workload-identity story under Istio, Consul, and many service-mesh products.

Identity providers — enterprise + workforce

Okta

• Founded 2009 by Todd McKinnon (ex-Salesforce CTO) and Frederic Kerrest. NYSE: OKTA.
• ~$2.6B revenue FY2025; the workforce-identity leader by paid-customer count.
• Two main product lines: Workforce Identity Cloud (employee SSO, MFA, lifecycle management) and Customer Identity Cloud (the Auth0 product, after the 2021 acquisition).
• Acquired Auth0 Mar 2021 for $6.5B stock-for-stock; Auth0 remains a separate-branded developer product.
• Security history: Jan 2022 Lapsus$ breach via Sitel (a third-party support contractor) — attackers reached an Okta superuser console. Then Oct 2023 support-system breach — HAR files uploaded to Okta’s support tooling contained session tokens that attackers harvested to pivot into customer environments (BeyondTrust, Cloudflare, 1Password publicly disclosed). Both incidents reshaped how the industry treats vendor-support trust.

Microsoft Entra ID

• Rebranded July 11, 2023 from Azure Active Directory (“Azure AD”). The product family — Entra ID, Entra ID External Identities, Entra Permissions Management, Entra Verified ID, Entra Internet Access, Entra Private Access.
• Tiers: Entra ID Free (limited, in every Microsoft 365 tenant), Entra ID P1 (~$6/user/mo—conditionalaccess,hybrididentities),\ast \ast EntraIDP2\ast \ast ($9/user/mo — Identity Protection risk-based policies, PIM privileged identity management).
• B2B = guest user collaboration with other Entra tenants; B2C = customer identity, now being merged into Entra External ID as Microsoft sunsets the standalone B2C tenant model (announced 2024, GA 2025).
• Conditional Access — the policy engine (if user X from device Y at risk Z accessing app W, then require MFA / block / passwordless).
• Security history: Storm-0558 incident July 2023 — a Chinese-affiliated actor obtained an inactive Microsoft consumer signing key (MSA) and used it to forge tokens for Exchange Online tenants of 25 organizations including US State Department officials. Triggered SEC Form 8-K + CISA + Congressional hearings + a Cyber Safety Review Board report (April 2024) finding “cascade of avoidable errors.”

Ping Identity + ForgeRock

• Ping Identity founded 2002 by Andre Durand. Originally federation/SAML; expanded to PingFederate + PingOne + PingAccess + PingDirectory + PingCentral + PingID (MFA) + PingOne Risk.
• Vista Equity Partners took Ping private in Oct 2022 for $2.8B.
• ForgeRock founded 2010 (Norway / California); IPO’d Sept 2021, then Thoma Bravo took it private in Aug 2023 for $2.3B.
• Aug 2024 — Thoma Bravo merged Ping + ForgeRock into a single PE-owned platform under the Ping brand, with the ForgeRock IDM/IDC/AM stack continuing in parallel for existing customers.
• Strength: large-enterprise + regulated + government deployments where on-prem or hybrid identity is the default.

IBM Verify + RSA SecurID + One Identity

• IBM Verify (CIAM + workforce); successor to IBM Security Identity Manager (ISIM legacy) and IBM Tivoli.
• RSA SecurID — the token-based MFA from RSA Security (the security division of EMC then Dell); spun off from Dell in Sept 2020 to Symphony Technology Group + Ontario Teachers’ for $2B.
• One Identity (part of Quest Software, originally NetIQ) — Identity Manager, Active Roles, Safeguard for Privileged Sessions; acquired OneLogin Oct 2021.

Workday Identity + SAP IAS / IPS

• Workday has identity capabilities as part of its workforce platform — used as the system-of-record for HR-driven joiner/mover/leaver flows that then provision into Okta or Entra.
• SAP IAS (Identity Authentication Service) + SAP IPS (Identity Provisioning Service) — the identity layer for the BTP / S/4HANA stack.

Identity Governance and Administration (IGA)

• SailPoint — founded 2005; Thoma Bravo took it private Aug 2022 for $6.9B, then re-IPO’d Feb 2025 on Nasdaq (SAIL). IdentityNow (SaaS) + IdentityIQ (on-prem) — provisioning, certifications, separation-of-duties, role mining.
• Saviynt — IGA + cloud PAM; SaaS-native.
• Omada — Danish IGA vendor; strong in EU enterprise.
• One Identity (above) — IGA via Identity Manager.
• Beyond Identity — passwordless + device-bound credentials + ZTNA flavor.
• Cyolo — zero-trust connect for OT / industrial.

Identity providers — developer-focused + B2C

Auth0

• Founded 2013 by Eugenio Pace + Matias Woloski (Argentina + Seattle). Y Combinator alum.
• Developer-first identity platform; the original “OAuth/OIDC made easy” SaaS.
• Acquired by Okta March 2021 for $6.5B all-stock; still operated as a distinct product.
• Programmability — Rules (deprecated 2024 in favor of Actions) and Actions (Node.js / hosted runtime) let you customize the login/signup/MFA flow with code. Tenants isolate environments.

Clerk

• Founded 2019 (officially 2020) by Colin Sidoti + Braden Sidoti + Bryce Kalow.
• React + Next.js-first identity platform; ships drop-in <SignIn />, <UserButton />, <OrganizationSwitcher /> UI components.
• First-class passkeys + magic links + social + SMS + email-code; native B2B / Orgs primitives (organizations, memberships, roles, invitations).
• $230Mraise\ast \ast in2024at\ast \ast$1.2B valuation, led by CapitalG + Stripes + Madrona.

WorkOS

• Founded 2019 by Michael Grinich (ex-Nylas).
• The “Stripe for enterprise auth” pitch — a simple unified API for SSO (SAML + OIDC) and Directory Sync (SCIM) that B2B SaaS startups use to onboard enterprise customers.
• AuthKit (2024) — hosted login UI built on top of the same primitives, targeting earlier-stage teams that don’t want to build login.
• Vendor of choice for Vercel, Cursor, Linear, Liveblocks, PlanetScale, and most YC-backed B2B SaaS.
• **$80MSeriesBJune2024\ast \ast at$850M valuation, led by Greenoaks.

Stytch

• Founded 2020 by Reed McGinley-Stempel + Julianna Lamb (both ex-Plaid). Y Combinator W20.
• Passwordless-first B2C + B2B platform — email magic links, SMS, WhatsApp, OAuth, passkeys, embeddable Web SDK.
• **$90MSeriesB2022\ast \ast at$1B valuation, led by Coatue + Index + Thrive + Benchmark.

Supabase Auth + Firebase Auth + Appwrite

• Supabase Auth — open-source identity built on GoTrue (originally by Netlify, forked + maintained by Supabase). Postgres-native (users live in auth.users table with Row Level Security policies referring to auth.uid()).
• Firebase Authentication — Google’s developer-focused auth SaaS since 2014 (Firebase acquired by Google 2014); part of the Firebase BaaS suite. Integrates with Google Identity Platform on GCP.
• Appwrite Auth — open-source BaaS; the Supabase / Firebase alternative.
• Pocketbase — single-file Go-based BaaS with built-in auth.

Cloudflare Access + Cloudflare One

• Cloudflare Access — identity-aware proxy + zero-trust network access; uses any upstream IdP (Okta, Entra, Google Workspace, SAML, OIDC) and enforces policies at Cloudflare’s edge.
• Part of Cloudflare One — Access + Gateway + Tunnel + Browser Isolation + CASB + DEX + Magic WAN.

Self-hostable open-source

• Keycloak — Red Hat’s open-source IAM since 2014; the most popular self-hosted IdP. SAML + OIDC + LDAP federation + user federation + brokering.
• Authentik — Python-based open-source IdP, growing fast 2023–2026.
• Ory stack — Ory Kratos (identity / sign-in), Ory Hydra (OAuth2 + OIDC server), Ory Keto (authorization, Zanzibar-inspired), Ory Oathkeeper (zero-trust proxy). Each open-source + Ory Network is the managed cloud.
• FusionAuth — packaged identity server, free for self-host with paid support tiers; popular for “we want all our auth data on our own servers” deployments.
• Hanko — passkey-first open-source IdP, German-based.
• Zitadel — Swiss-based open-source IdP, Go + CockroachDB.
• LogtoAI (Logto) — open-source dev-focused IdP, Shanghai-based.

Magic-link / Web3-adjacent

• Magic.link (Magic Labs) — Web2 + Web3 magic-link wallet identity.
• Otpless — phone/WhatsApp-based passwordless.
• LoginRadius — CIAM platform.

Federation + cross-organization identity

• Microsoft Entra B2B Collaboration — invite users from another Entra tenant as guests in yours.
• Microsoft Entra Cross-Tenant Access Settings + Cross-Tenant Synchronization (2023) — programmatic multi-tenant policies; B2B Direct Connect for Teams/Channels.
• AWS IAM Identity Center — central IdP-broker into AWS accounts in your organization.
• Okta Identity Cloud / Okta Workforce Identity — federate across many SaaS via SSO.
• Microsoft FIM / MIM (Forefront / Microsoft Identity Manager) — legacy on-prem identity-sync product; still in use at large enterprises.

Passwordless evolution (timeline)

Era	Mechanism	Status 2026
2014–	Magic links (Slack pioneered, 2013)	mainstream for B2C / lightweight B2B
pre-2017	SMS OTP	deprecated by NIST 800-63B (2017); still widely used for account recovery
2010–	TOTP authenticator apps	still the most-deployed strong second factor
2017–	Push approval	widely used; vulnerable to push-bombing without number-matching
2018–	WebAuthn / FIDO2 hardware keys	adopted by security-mature enterprises (Google, Cloudflare, GitHub)
2022	Apple Passkeys (iOS 16 Sept)	first major OS-level passkey sync
2023	Google Passkeys + Microsoft Passkeys + 1Password / Bitwarden passkey storage	mainstream consumer rollout
2024–2026	Passkeys at B2B SaaS scale (GitHub passkeys 2023, Slack 2024, Shopify 2024, AWS 2024)	becoming default

Hardware FIDO2 keys

• YubiKey (Yubico) — founded 2007 by Stina Ehrensvärd; Swedish/American; ~$100M revenue. Product lines: YubiKey 5 NFC / 5C NFC / 5Ci (Lightning + USB-C) / 5 Bio (fingerprint) / Security Key C NFC (cheaper, FIDO2-only).
• Google Titan Security Key — Google-branded, manufactured by Feitian; T1 USB-A / T2 USB-C / Bluetooth versions.
• Feitian — Beijing-based OEM; sells under own brand and white-label.
• SoloKeys — open-source (hardware + firmware) FIDO2 keys; Solo V2.
• GoTrust Idem Key — value-priced FIDO2.
• OnlyKey — open-source key with built-in password manager.

Biometric on-device

• Apple Touch ID (2013) + Face ID (2017) + Optic ID (Vision Pro 2024).
• Windows Hello — fingerprint, facial recognition, PIN; uses the TPM for credential storage.
• Android fingerprint + face unlock — varies by OEM; class-3 biometric for strong auth.
• Samsung iris (deprecated after Note 9), Samsung Knox.

Authorization (AuthZ) — distinct from authentication (AuthN)

Authentication = “who are you?“. Authorization = “what are you allowed to do?“. The IdPs above mostly handle AuthN; AuthZ is a separate stack:

Authorization models

• RBAC (Role-Based Access Control) — users have roles; roles have permissions. The default in most apps; simple, scales poorly when permissions get fine-grained.
• ABAC (Attribute-Based Access Control) — policies are expressions over attributes of subject + resource + action + environment. More flexible than RBAC; what AWS IAM, Azure RBAC, GCP IAM all effectively are.
• ReBAC (Relationship-Based Access Control) — Google’s Zanzibar paper (2019) described how Google Drive’s “anyone with the link can edit” + “shared with X” + nested folder permissions are implemented. The model: tuples like (object#relation@subject) and check queries that walk the tuple graph. ReBAC = ABAC’s heir for product-style permissions (Notion-style sharing, GitHub-style team permissions, etc.).

Authorization engines

• Open Policy Agent (OPA) — CNCF graduated Jan 2021; founded by Tim Hinrichs + Torin Sandall (now Styra co-founders); the de facto policy engine for K8s admission control. Uses Rego DSL; runs as sidecar, library, or central service. Styra is the commercial managed offering.
• Cedar — AWS open-sourced May 2023; the language behind AWS Verified Permissions and Amazon Cognito permissions. Cedar’s claim is “policy language designed for tools” — bounded analysis (you can prove policies don’t accidentally grant access).
• SpiceDB — by AuthZed (founded 2021 by Jake Moshenko ex-CoreOS / Red Hat); open-source Zanzibar-inspired AuthZ database. Schema-first, multi-region replication.
• OpenFGA — open-source Zanzibar fork by Auth0 / Okta (2022); now CNCF Sandbox. The companion to Auth0 Fine-Grained Authorization.
• Warrant / WarrantDB — was a Zanzibar-style SaaS; acquired by Permit.io April 2024.
• Permit.io — Israeli AuthZ SaaS; combines RBAC + ABAC + ReBAC via PDP (Policy Decision Point) sidecar.
• Aserto — also founded by Tim Hinrichs (Styra alum); Topaz is the open-source authorizer.
• Cerbos — UK-based AuthZ; stateless decision service, YAML policies.
• Casbin — open-source RBAC/ABAC library in many languages (Go origin).
• Keto — Ory’s Zanzibar-flavored authorizer.
• Permify — Turkey-based open-source Zanzibar-style.

Standards bodies + RFCs

• IETF OAuth Working Group — OAuth 2.0, 2.1 (draft), all the JOSE specs (JWT, JWS, JWE, JWK).
• OpenID Foundation — OIDC core + Discovery + Federation + Self-Issued + FAPI (Financial-grade API).
• FIDO Alliance — FIDO2, CTAP2, passkeys certification.
• W3C Web Authentication WG — WebAuthn spec.
• NIST SP 800-63 revision 4 (final 2024) — Digital Identity Guidelines; 800-63A enrollment + identity proofing, 800-63B authenticator + lifecycle, 800-63C federation + assertions.
• OASIS — SAML, XACML (older policy language).
• Kantara Initiative — UMA (User-Managed Access), identity-assurance certifications.

Compliance certifications relevant to IdPs

• SOC 2 Type 2 — table stakes for any B2B identity SaaS.
• ISO 27001 / 27018 / 27017 — international info-sec management + cloud + PII processing.
• FedRAMP Moderate / High — required for US federal customers; Okta, Auth0, Entra ID all hold; many smaller players do not.
• HIPAA + BAA — US healthcare.
• GDPR + CCPA + LGPD + PIPEDA — privacy regimes.
• PCI-DSS — when card data crosses the IdP (rare but happens via SAML attributes).
• StateRAMP, HITRUST, IRAP (Australia), GovAssure (UK), C5 (Germany).

Pricing comparison (USD, list, 2026)

Vendor	Free tier	Starter	Mid	Enterprise
Auth0 (Okta CIC)	7,500 MAU free (B2C dev)	Essentials ~$240/mo	Professional ~$1,400/mo (10k MAU)	Enterprise quoted
Clerk	10,000 MAU free	$25/mo+$0.02/MAU after	Production tier $99/mo	Enterprise quoted
WorkOS	SSO free up to 1M MAU	$125/connection(SSO),$125/connection (Directory Sync)	usage-based	enterprise pricing
Stytch	25 MAUs free	usage-based — ~$0.05/MAU + features	per-feature pricing	enterprise quoted
Okta Workforce Identity	none	$6/user/mo (SSO basic)	$8–$15/user/mo (MFA + Lifecycle Management)	$15+/user/mo (Identity Governance)
Entra ID	free in M365 (limited)	P1 $6/user/mo	P2 $9/user/mo	E5 / governance addon
AWS Cognito	50k MAU free (User Pools)	$0.0055/MAU above	Advanced security $0.05/MAU	enterprise
Firebase Auth	50k MAU free	$0.0055/MAU + Identity Platform add-ons	usage-based	enterprise
Keycloak	$0 self-host	infra costs only	Red Hat SSO support subscription	enterprise support
Cloudflare Access	50 users free	$3/user/mo	$7/user/mo (Cloudflare One Zero Trust)	enterprise

These are list rates; everyone discounts at scale and most have committed-spend ramps.

Notable security incidents to learn from

• Okta — Sitel breach (Jan 2022, disclosed Mar 2022) — Lapsus$ pivoted from Sitel (Okta’s support contractor) into the Okta superuser console. Direct blast radius was ~366 customers per Okta’s after-action; reputational blast radius was much larger.
• Okta — Customer Support breach (Oct 2023) — attackers stole HAR files containing session tokens from Okta’s support case-management system; pivoted into 1Password, BeyondTrust, Cloudflare. Drove industry change on HAR-file handling + session-token binding.
• LastPass (Aug + Nov 2022) — credential thief on a senior DevOps engineer’s home machine accessed encrypted vaults + customer key material; ongoing brute-force decryption attempts have driven mass password rotation. Catastrophic for the brand; many enterprises moved to 1Password / Bitwarden.
• Microsoft Storm-0558 (July 2023) — Chinese state actor minted forged Microsoft signing keys against Outlook / Exchange Online for 25 organizations including US State Dept; CSRB final report (April 2024) cited “cascade of avoidable errors.”
• Microsoft Midnight Blizzard (Jan 2024 disclosure) — Russia-aligned actor accessed Microsoft corporate email of senior leadership via password spray against a legacy tenant; lateral movement into other tenants via OAuth applications.
• Twitter / X.com API + breaches (2022–2023) — 5.4M user records leaked in 2022 (CVE-2022-23472 phone-number enumeration); separate ongoing scrape disclosures.
• MOVEit / Cl0p (May–June 2023) — not strictly identity, but a zero-day in Progress MOVEit Transfer ransacked SSO-fed file transfer at 2,700+ orgs.
• Snowflake customer breaches (May 2024) — ~165 customers compromised because of credential reuse without MFA; not Snowflake’s flaw but drove industry move to mandatory MFA + workload identity for warehouses.
• Cloudflare Atlassian Confluence breach (Nov 2023, via Okta HAR fallout) — chained from the Okta support breach.

The throughline: vendor-of-vendor risk (Sitel for Okta; engineer home machine for LastPass; signing-key handling at Microsoft) is now the dominant breach vector in identity infrastructure, more than direct CVEs.

Migration patterns worth knowing

• Okta to Microsoft Entra ID — typically driven by EA bundling; the technical move is straightforward (both speak SAML/OIDC/SCIM) but the conditional-access policy migration is the real work.
• Auth0 to Clerk — Next.js-heavy startups whose volume passed Auth0’s developer tier.
• Auth0 to Stytch — B2C / passwordless-first products.
• Custom-built auth to WorkOS — B2B SaaS that needs enterprise SSO + SCIM without writing it.
• Cognito to anything — Cognito’s developer experience and customizability have lagged; many AWS-shop migrations to Auth0 or Clerk for the UX while keeping AWS for infra.
• Active Directory + ADFS to Entra ID + cloud-native — multi-year for most large enterprises; hybrid identity (Entra Connect / Cloud Sync) is the bridge.

Emerging trends (2024–2026)

• Passkeys at scale — passing the inflection point; major B2C consumer services (Amazon, Microsoft, Google, Apple, GitHub, Shopify) all default to passkey enrollment in 2025–2026.
• Verifiable Credentials (W3C VC Data Model 2.0, May 2024) — issuer-holder-verifier model; digital diplomas, work credentials, health records.
• Decentralized Identifiers (DID) — W3C DID Core spec; resolution methods include did:web, did:key, did:ion (Microsoft’s Bitcoin-anchored ION network), did:ebsi (EU Blockchain).
• Self-Sovereign Identity (SSI) — wallets hold credentials; Sovrin Network, Trinsic, Indicio, Dock.
• Australia Consumer Data Right (CDR) — open-data regime with FAPI-grade OAuth.
• India Aadhaar — 1.3B+ enrolled identities; the world’s largest biometric identity system; UPI auth ties banking to Aadhaar.
• Mobile driver’s licenses (mDL, ISO/IEC 18013-5) — Apple Wallet IDs (rolling out US state by US state since 2022; ~10 US states live by 2025), Google Wallet IDs.
• EU Digital Identity Wallet (eIDAS 2.0) — EU regulation entered into force May 2024; all 27 member states required to offer an EU Digital Identity Wallet by end-of-2026 supporting verifiable credentials + mDL + payment authentication.
• AI agents + identity — the unresolved 2025–2026 question is how autonomous AI agents authenticate (long-lived credentials, delegated OAuth, DPoP-bound tokens, per-action consent). Specs in flight at IETF OAuth WG (token exchange + DPoP) and at OpenID for AI agents.

When to choose which

• Workforce SSO for an enterprise — Okta or Microsoft Entra ID. Pick on existing-Microsoft-investment vs vendor-neutrality grounds.
• B2B SaaS startup needing enterprise SSO + SCIM — WorkOS. Lowest-friction path to “yes” on RFPs that require SAML.
• B2C consumer app — Clerk if React/Next, Stytch for passwordless-first, Auth0 for ecosystem maturity, Cognito if AWS-heavy and willing to wrestle, Firebase Auth for Google-stack.
• Open-source self-host — Keycloak (most popular), Authentik (modern), Ory stack (modular), Zitadel (Go + CockroachDB).
• Fine-grained authorization — OpenFGA or SpiceDB for Zanzibar-style; OPA / Cedar for policy-as-code over arbitrary attributes; Permit.io for managed.
• Hardware-grade phishing resistance — YubiKey + WebAuthn; or platform passkeys if device-trust is sufficient.
• Identity governance (IGA) — SailPoint for enterprise, Saviynt for cloud-native, Omada in EU.

Adjacent

• cloud-provider-service-mapping — covers in-cloud IAM (AWS IAM + Identity Center, GCP Cloud IAM + Workload Identity Federation, Entra ID + Azure RBAC) as the cloud-resident side of identity.
• database-engine-taxonomy — backing-store choices for self-hosted IdPs (Postgres for Keycloak / Authentik / Ory / Zitadel, plus SpiceDB’s own datastores).
• observability-tools-catalog — audit-logging + SIEM integrations for IdP signals (CloudTrail + Cloud Audit Logs + Azure Activity Log feeding Splunk / Datadog / Sentinel).
• llm-landscape — relevant because AI-agent identity (long-lived tokens vs DPoP-bound vs per-action consent) is the open identity problem of 2025–2026.
• _index — Tier 3 family-index root for the Compute library.