I'd highly recommend this approach as well. What started as a fascination for me turned into owning a suite of authentication capabilities as a technical PM for one of the SaaS vendors.
The problem with auth is that in practice, it's a lot of messy implementations of insufficient specifications requiring customizations/extensions. Reading a good explainer for say, OAuth, is a great thing to do. But won't be sufficient due to the myriad of weird quirks across various apps/vendors implementation of Auth <Approach>. Dealing with those quirks helped me more deeply understand the underlying concepts and the intent of the spec.
The messiness of the space really means that to be successful, developing some deeper intuitions about how everything fits together can be extremely helpful. And to do this, I think that just playing with auth - a lot - is one of the best ways to develop these intuitions.
I personally liked to spin up dirt simple Express.js apps, and then I'd wire up a sparse UI to the auth endpoints for some vendor, doing a barebones implementation of each thing needed to satisfy the auth protocol used. This really cemented the concepts for me and gave me a library of code that I could easily copy and tweak to experiment with something else.
I also read a lot of blog posts, watched a lot of YouTube videos, and went to an Auth conference or two.
The problem with auth is that in practice, it's a lot of messy implementations of insufficient specifications requiring customizations/extensions. Reading a good explainer for say, OAuth, is a great thing to do. But won't be sufficient due to the myriad of weird quirks across various apps/vendors implementation of Auth <Approach>. Dealing with those quirks helped me more deeply understand the underlying concepts and the intent of the spec.
The messiness of the space really means that to be successful, developing some deeper intuitions about how everything fits together can be extremely helpful. And to do this, I think that just playing with auth - a lot - is one of the best ways to develop these intuitions.
I personally liked to spin up dirt simple Express.js apps, and then I'd wire up a sparse UI to the auth endpoints for some vendor, doing a barebones implementation of each thing needed to satisfy the auth protocol used. This really cemented the concepts for me and gave me a library of code that I could easily copy and tweak to experiment with something else.
I also read a lot of blog posts, watched a lot of YouTube videos, and went to an Auth conference or two.