In this article you will get to know about the identity system and I will help you understand the basic fundamental concepts of the identity system.
At the end of this article you will get the answers to the following questions:
- What is identity?
- What is authentication and authorization?
- What is access control?
- What are tokens?
- What is SSO?
Now first let's start by understanding what identity is.
๐ What is Identity?
Identity refers to the unique representation of a person or system within the digital ecosystem.
For example: In real life your identity includes your name, fingerprint, photo ID, and in the digital world your identity includes your username, email, and user ID.
Identity also includes some attributes which are known as identity attributes or claims. This is extra information about the user, for example: name, role, department, etc.
Now let's talk about authentication and authorization.
๐ What is Authentication?
Authentication is a type of process for verifying who the user is.
For example: you enter your email and password, and before entering the system, the system will first compare the password with your email to verify if it is really you or not.
In the modern world, system authentication also includes OTP, biometrics, social login, etc.
๐ก๏ธ What is Authorization?
Authorization is the process of verifying what a user is allowed to do after the user is authenticated.
For example: after login, the system will check whether you are allowed to access and change user data or if you can just read the user data.
If you want to understand in simple terms:
Authentication is like a passport at the airport, and authorization will decide whether you sit in business class or economy.
๐ข What is Identity Provider (IdP)?
An identity provider is a service that manages user identities and handles authentication.
IdP stores user credentials and uses them for authentication. After authentication, it issues tokens for service provider applications.
Examples of IdPs: Google, Okta, Keycloak, etc.
๐ฏ What is Access Control?
Access control means controlling what users are allowed to do within the system.
There are many types of access control available, but here we have two main types:
- RBAC - Role Based Access Control
- ABAC - Attribute Based Access Control
RBAC: In role-based access control, permissions are based on the user's role.
For example:
- admin role โ can delete user
- editor role โ can edit and read user
- viewer role โ can only view user
ABAC: In attribute-based access control, permissions are based on the user's attributes, resources, and environment.
For example: Allow user if user's department is HR and resource type is employee data and action is view.
๐ซ What are Tokens?
Tokens are digital objects that are used for authentication and authorization. Usually tokens are JWT-based (JSON Web Token).
There are mainly 3 types of tokens:
- Access Tokens
- Refresh Tokens
- ID Tokens
Access Token: It is used to access protected APIs or resources. It is valid for a short time and contains permissions (roles) and user ID.
Refresh Token: This is a long-lived token and it is used for getting new access tokens when needed.
ID Token: It contains claims about the authenticated user.
๐ช What is SSO?
SSO stands for Single Sign-On. It is an authentication method that allows users to log in once and access multiple applications without re-login.
For example: you log in to your Google account and now you can access YouTube, Gmail, and Google Drive.
โ๏ธ How Does SSO Work?
Here all apps trust the same identity provider. So when you start an application, first it redirects the user to the IdP, but the IdP will declare the user to be verified and authenticated. Then the app will issue the token and let the user in.
๐ฏ Conclusion
Understanding identity and access control is fundamental for building secure digital systems. These conceptsโidentity, authentication, authorization, access control, tokens, and SSOโwork together to ensure the right users have the right access to the right resources at the right time. Mastering these basics will help you design better, more secure applications.
Top comments (0)