Pythonic identity (auth in Python ecosystem)

Episode Deep Dive

Guests Introduction and Background

Christos Matskas and John Patrick Dandison both work on the developer advocacy team for Microsoft Identity and spend a great deal of time helping developers successfully integrate secure authentication and authorization into applications. Christos brings a strong .NET background, transitioning into Python and NodeJS as a polyglot developer. JP (John Patrick) started out working with C# as well, later discovering the power of Python for tasks such as data and API work. Together, they have a deep passion for teaching developers about identity and security best practices, regardless of language or platform.

What to Know If You're New to Python

If identity and authentication is your first brush with Python, here are a few points to help you follow along:

• Python can handle both the identity “frontend” (such as frameworks like Flask or Django) and backend logic for secure tokens, so you’ll see references to libraries or frameworks that streamline this.
• Tools such as Flask, Django, and FastAPI come up often for Python-powered apps handling identity flows.
• Familiarity with basic pip-installation and Python environments helps when integrating security libraries like Passlib or OAuth client libraries.

Key Points and Takeaways

1. Identity as a First-Class Service It’s easy to think of authentication as “just another login form,” but Christos and JP emphasize that identity is critical. Modern applications often rely on secure tokens rather than rolling their own username/password systems. This approach both reduces maintenance overhead and significantly improves security.
   • Tools / Links
     • OAuth 2.0
     • OpenID Connect
2. The Four A’s: Authentication, Authorization, Auditing, and Access Control Most developers know about authentication (verifying who you are) and authorization (what you can do). But there are also important considerations such as auditing (logging and monitoring user actions) and fine-grained access controls. Collectively, these create a holistic security approach.
   • Tools / Links
     • Secure APIs with FastAPI and the Microsoft Identity Platform
3. Rolling Your Own Passwords vs. Relying on an Identity Provider If you roll out custom username/password solutions, you often wrestle with hashing, salts, email resets, rate-limiting, and more. Leveraging identity providers (e.g., Azure AD, Okta, Auth0) or proven libraries can free you from many pitfalls. Nevertheless, if you do implement passwords, using a well-tested tool like Passlib in Python helps you handle hashing and salting properly.
   • Tools / Links
     • Passlib
4. Avoiding Common Pitfalls From forgetting to add incremental backoff to storing credentials in plaintext, the guests share real-world mistakes. Developers often overestimate the complexity of these details until something goes wrong. Baking security in from the start ensures fewer headaches and reduced risk of data leaks or password-based attacks.
5. OAuth 2 vs. OpenID Connect OAuth 2 is fundamentally about authorization and scoping what an app can do. OpenID Connect builds on OAuth 2, adding identity authentication details (e.g., who the user is). Understand these layers so you can properly handle user info (OpenID Connect) vs. resource permissions (OAuth 2).
   • Tools / Links
     • Authlib (OAuth Library for Python)
     • Django OAuth Toolkit
     • Flask-Dance
6. Federated Identity Federated identity in a corporate or multi-service setting means your application trusts an external identity system (e.g., Azure AD) to authenticate. This is how employees can log into multiple internal apps with one set of credentials. APIs also often carry forward tokens downstream for service-to-service calls, reducing re-authentication friction.
7. De-Risking Social Logins Many apps let you sign in with Google, Facebook, or GitHub. While it can improve convenience and security (you’re not storing credentials), it introduces considerations like what happens if the user deletes their Facebook account. The takeaway? Social logins are great if they align with user needs, but allow other fallback methods if possible.
8. Using Microsoft’s Identity Libraries for Python Christos and JP highlight Microsoft’s MSAL (Microsoft Authentication Library) for Python, which is built on open standards. While Python has a broad ecosystem of identity libraries, MSAL removes many protocol details and allows you to quickly integrate with Azure services.
   • Tools / Links
     • MSAL Python GitHub
9. APIs vs. Web Applications The flow for web apps (e.g., prompting a user to log in) is slightly different from how an API protects its endpoints. APIs typically validate tokens they receive and check the user’s claims. The conversation clarified that you should keep tokens short-lived, use standard JWT claims, and ensure you’re verifying them properly.
10. Practical Advice for Teams In large organizations, identity can be a major bottleneck if done incorrectly. The best strategy? Centralize identity with a reputable provider, don’t store secrets in source code, and ensure that every app in the environment references an updated token validation library to avoid vulnerabilities.

Interesting Quotes and Stories

Christos on Reusing the Same Password Everywhere: “We see RSA keys on GitHub, we see SSH keys for secrets. We don’t want developers to do that. And it’s a very easy mistake to make.”

John on Social Logins: “I tend to create a fallback username and password. Because if I suddenly decide to delete my social account, I don’t want half a dozen sites to be inaccessible.”

Key Definitions and Terms

• Authentication: Verifying someone is who they claim to be.
• Authorization: Determining what actions or resources a user is permitted to access.
• Auditing: Systematically tracking user and system activities for security and compliance purposes.
• OAuth 2: An authorization framework to grant third-party apps access to a user’s data, without sharing credentials.
• OpenID Connect: An identity layer on top of OAuth 2.0 to verify the end user’s identity.
• JWT (JSON Web Token): A compact token format often used for representing claims securely between two parties.

Learning Resources

Below are a few recommended ways to strengthen your Python and identity skills.

• Python for Absolute Beginners A course designed to help you build confidence in Python from scratch. Ideal if you’re still new to coding.
• Secure APIs with FastAPI and the Microsoft Identity Platform Learn how to implement JWT-based authentication and authorization in FastAPI using Azure AD, covering OAuth2 and OpenID Connect fundamentals.
• Python for .NET Developers Perfect if you’re coming from C#/.NET (like Christos and JP) and want to speed up your Python transition.

Overall Takeaway

Getting identity right from day one is critical to building secure, user-friendly applications. Rather than trying to reinvent the wheel, leverage open standards such as OAuth2 and OpenID Connect, plus robust libraries like MSAL, Flask-Dance, or Django OAuth Toolkit. Think deeply about auditing, controlling user permissions, and offering flexible login options. With the right tools and best practices, you can protect your users and your apps in a consistent, scalable way.