When a user logs in with Jamf Connect or Self Service+, their password is entered in a secure text field and never written to a disk outside the macOS keychain.
When Kerberos is used, the password is used with the gss_aapl_initial_cred() API call, which authenticates the user and obtains a ticket granting ticket (TGT). When changing passwords, the same process is followed using the gss_aapl_change_password() API call. Both API calls leverage Apple's implementation of Heimdal Kerberos.
All Kerberos actions are performed with Apple's APIs. The password is never cached with a "kinit" or other Kerberos command line interface (CLI) tools.
When integrated with Okta as an identity provider (IdP), Jamf Connect and Self Service+ use the Okta Authentication API. For more information about the Okta Authentication API, see Application types (okta Developer).
When integrated with other IdP providers, Jamf Connect and Self Service+ use the OpenID Connect authentication protocol to communicate with the IdP.
All network connections are made using the macOS URL-loading API, URLSession. All communications are secured with TLS to ensure they are not corrupted.
When passthrough authentication is enabled with the login window, user passwords entered in the login window web view are temporarily written to memory and used to log in or create a local account on computers. When Jamf Connect is finished with the user's password, the value is immediately overwritten as nil and deallocated from memory.
For more information about OpenID Connect, see What is OpenID Connect.