This is the first post of a series in which I'm hoping to write about the basics of Identity Management.
I'll try to dive into topics like JWTs, Identity Providers, OAuth 2.0 and OpenID Connect but first, what better way to start than by discussing the concepts of Authentication and Authorization.
Let's start with some definitions:
- Authentication is the process or action of verifying the identity of a user or process.
- Authorization is the process of giving a user or process permission to do or have something.
We can already tell there's a subtle difference here, I usually like to think of real world analogies that can help clarify the differences.
For this concept, I find that a hotel analogy works best.
Let's imagine a traveller, Bob, going on a vacation and is trying to check-in to a hotel!
When Bob walks into the hotel for the first time, he will need to check-in, which he does by showing some form of identification that has his name, date of birth etc. Bob naturally uses his passport. This way, the hotel can verify that Bob is who he claims to be! The hotel just authenticated Bob.
Since the hotel trusts the form of identification that was provided by Bob, they provide him with a hotel key card! Bob can now access his room, use the gym or any other facility in the hotel; he has now been authorized to use these services.
The key takeaway here is that Bob does not need to show his passport every time he uses the gym, the key card authorizes him to use the hotel's facilities without the need to prove who he is.
Now that we looked at the analogy, what does this translate to in the online world, we go through this process hundreds of times in our lives but let's break it down.
A user visits a site and is asked to login, this is the authentication step. The identification is usually in the form of a username and a password, when the user provides the right combination, they are allowed access to the site.
Once the website authenticates the user, the user is now authorized to access the website without needing to login every time they wanted to perform an action on the site, imagine how annoying that would be! In the hotel case Bob was given a hotel key, online however, the user is usually given a session or a JSON Web Token (more on that later) both of which can behave as a way to prove the user is able to perform actions on the website.
There is an important observation we need to make that enables this model to work. It's the idea of trust.
In the real world the hotel has to trust whoever issued the passport to the traveller, the traveller can try to show fake identification but the hotel can simply reject that identification since they cannot trust where it came from. Similarly, if a user enters a wrong username and password, they will fail the authentication step and will be rejected by the website.
So, the hotel trusts a valid passport since it has been issued by a government. What does the website trust? Well in most cases, the website can trust itself, a user usually signs up with the website and as part of that registration process the website can verify the users email for example. This means that the website itself is the entity that issued the user's identity and it can therefore verify it!
We've all seen the sign-in with [insert social media site here] buttons all around the internet and I'm sure a lot of us use them. Even dev.to offers you the option to sign up/sign in with Github and Twitter.
What is happening there? Well, this just means that dev.to trusts Github or Twitter to tell them who you are safely and efficiently and they use them to authenticate you into dev.to!
This concept is called Delegated Authentication.
Safe delegated authentication is all possible thanks to OpenID Connect and OAuth 2.0 which are open standards and protocols that are implemented by most social media websites. These standards enable you to use one identity stored at one site and use it to access another site.
I will dive in deeper into delegated authentication, OAuth and OpenID Connect in a future post.
PS: If you have made it this far, thanks for reading!
This is my first post ever and I would appreciate some feedback in the comments section and if anyone has any questions do not hesitate to ask!