Solutions Engineer at Okta. I write about identity, access management, and security. This site archives my published articles, talks, and presentations.
Every Vendor Security and Customer Requirement Questionnaire asks the same questions — the SIG words them one way, CAIQ another, HECVAT a third. The standard approach is to re-derive answers from scratch each time. The better approach is to treat this as a retrieval problem: build a canonical corpus of approved answers once, and match new questions to it.
Most analytics tools require a JavaScript snippet in every page — which means your readers' browsers are doing the tracking work, and adding a dependency you cannot fully control. In this post I will detail how I added page view tracking to this blog using Next.js 16's proxy layer and Vercel Blob, with no client-side JavaScript and no third-party analytics service.
Identity systems are very good at answering one question: who are you? What they are less good at is the follow-up: and who are you acting for? In this post I will look at why separating the authenticated user from the account or person they are acting within is important, what it enables across a range of industries, and how Auth0 and Auth0 FGA address the two complementary sides of the problem.
In part one we built the Auth0 ACUL screens for multi-tenant routing with a hardcoded lookup. In this post I will replace that with a real Cloudflare Worker backed by Workers KV, move to full email-address routing, handle users who exist across multiple tenants, and add Cloudflare Turnstile bot protection to the login screens.
Home Realm Discovery is a well-understood pattern at the network layer, but moving that routing logic inside Auth0's login flow using Advanced Custom Universal Login opens up some interesting possibilities — and a few unexpected challenges.