Summary: Today I woke up thinking that talking about Identity and Access Control and how your strategy around that affects you (web-) app's architecture without going too deeply into the security lingo that usually comes with it. Here's the 40 minute result. I start with HTTP's "native" authentication model RFC 2617 and how that's universally bad, with both Basic and Digest authentication having issues Digest being, ironically worse for the overall security strategy. Then I dive into why models that use tokens (or cookies) are better in terms of security and scalability and explore a range of variations amongst those.
