Hi,
Today, I am going to discuss about basic Authentication, Authorization, OAuth and OpenID Connect flows.
First of all we need to understand at fundamental level what is the difference between Authentication and Authorization.
There are tons of articles to explain what these are. Please find below articles that I find interesting and easy to understand.
https://www.okta.com/identity-101/authentication-vs-authorization/
https://auth0.com/intro-to-iam/authentication-vs-authorization/
Let us consider an application (anything Web App, Mobile App, Native App or Home Devices etc.. ) as system.
So in the system, authentication refers whether you exist with the creds you provide authorization is what you can do in the system.
Authentication can only allows you enter into the system but your not allowed to do whatever you want to do, that's where Authorization comes into picture.
Basically Apps assigns roles to the users of the Application to distinguish different types of users like, Root, super user,
admin, manager etc..
Here is the sample representation in picture format
To achieve Authentication and Authorization, mainly application use following concepts (As per my knowledge).
- OAuth
- OpenID Connect
- SAML
- Basic Authentication (user enter user name and password)
Now, you have some basic idea about Authentication and Authorization, let's understand how various Apps use these mechanisms to secure their data (services).
You must have seen websites or mobile Apps where you have option to login with Google or Facebook etc..
This is where OAuth and OpenIDConnect flows comes into picture.
Check OAuth playground: https://www.oauth.com/playground/
Please see here about OAuth2.0 and OpenID Connect understand them.
Beginners guide to SAML
Difference between all of them : https://www.okta.com/identity-101/whats-the-difference-between-oauth-openid-connect-and-saml/
Try to understand how the credentials we enter goes through URLs in developer console of the browser, you can even preserve the Logs of console.
Try to see Request URLs, Request Headers, Request Payload and Response Headers and Response Body we receive in the console.
Authentication you do in any website or App either follows OAuth2 or OpenID Connect or SAML or Basic Authentication.
Now, you have good understanding about IAM.
We can learn many things by understanding about Authentication and Authorization just observing developer console (We could see what kind of platforms the application using, what is the flow they are following).
Now-a-days companies (not all the IAM solutions) who build apps are using SaaS solutions to delegate Authentication and Authorization (Just Google how many companies are there for this services) which makes them easy for companies as they can only concentrate on core business logic.
I will be writing simple steps in next article about how we can authenticate the users with Okta in Golag.
Authentication and Authorization is crucial for any application and it is utmost important such that if not implemented properly, it will incur huge losses to company. Company may loss trust of users, partners and different stakeholders.
Thank you for reading.
I wish you all the best for your goals.
Happy Coding :)
Top comments (0)