This conference talk from nullcon Goa 2025 explores research techniques and findings on open-source Identity Providers (IdPs), specifically Keycloak and Authentik, which led to the discovery of 0-day vulnerabilities (CVE-2024-42490, CVE-2024-37905). Discover innovative research methodologies including ORM Leaks and web race conditions that security professionals can implement to identify similar vulnerabilities. Learn how an information leak investigation evolved into the development of the ORM Leak technique. The 33-minute presentation provides valuable insights for cybersecurity professionals interested in responsible disclosure practices and securing identity management systems.