OAuth / SSO / IdP — Notes

Functional

• Issue and validate access tokens (OAuth 2.0).
• Identity assertions (OIDC).
• Multi-app SSO + SCIM provisioning.
• MFA, passkeys, social logins.
• Token revocation.

Non-functional

• p99 token endpoint < 200 ms.
• 99.99%+ availability — IdP outage breaks everything.

Trade-offs

• JWT scales because verification is offline; revocation harder.
• Opaque + introspection centralizes auth state; latency cost.
• Symmetric vs asymmetric keys: asymmetric mandatory if trust boundary crosses orgs.

Refs

• OAuth 2.0 RFC 6749, OIDC core spec.
• "OAuth 2.0 Threat Model" RFC 6819.
• "OAuth 2.1 BCP" current best practices.
• Auth0 / Okta / Cognito docs.