Why Can't the App Just Have My Password
Before OAuth2, delegating access meant sharing credentials. If you wanted a third-party app to read your email, you gave it your email password — and it could do anything with that password, including change it, read messages you didn't intend to share, and keep it forever. OAuth2 solves the authorization delegation problem: an identity provider issues scoped, time-limited tokens that grant specific permissions without ever revealing the user's password to the application. Understanding the flow explains not just your Authentik setup but every "Login with Google" button on the web.
"OAuth2 is about authorization. OpenID Connect is about identity.
"KaiRenner24th of March 2026
Understand the Four Grant Types
OAuth2 defines four grant types for different situations. The Authorization Code grant is for web apps and native apps: the app redirects to the identity provider, the user authenticates there, and a short-lived code is returned to the app. The Implicit g
Follow the Full OIDC Authorization Code Flow
A user clicks Login on your Nextcloud instance. Nextcloud redirects the browser to Authentik's authorization endpoint, appending the client ID, requested scopes (openid profile email), a redirect URI, a random state parameter, and a PKCE code challenge. T
Understand JWT Structure
The ID token returned by the flow is a JSON Web Token (JWT). A JWT has three parts separated by dots: header.payload.signature, each Base64URL-encoded. The header specifies the algorithm used for the signature (RS256 is common — RSA with SHA-256). The pay
Know Which Token Does What
The ID token proves who the user is. It is consumed by the application that requested it to establish a session. It should not be forwarded to other services. The access token grants access to an API on behalf of the user. It is sent in HTTP request heade
Understand Why Each Step in the Flow Exists
The state parameter is a random value the client generates and includes in the redirect to the identity provider. When the provider redirects back, it echoes the state. The client verifies it matches. This prevents CSRF attacks: an attacker cannot forge a
What Comes Next
JWTs are signed with cryptographic keys, and the security of those signatures depends entirely on the algorithm chosen. Some historical JWT algorithm choices — notably the alg:none vulnerability and early RSA/HMAC confusion attacks — had serious weaknesses worth understanding. That leads naturally into the broader world of applied cryptography and why algorithm selection matters.
Monitor Your Self-Hosted Infrastructure
Set up Prometheus and Grafana to track uptime, resource usage, and service health across your entire home lab — with alerting so you know about problems before your family does.
