Auth Wiki

OpenID Connect
OAuth 2.0
SAML

Explore and find clear definitions of key glossaries related to authentication, authorization, and identity management. Work with open-standards like OpenID Connect, OAuth 2.0, and SAML.

A

Access control

Access control is the restriction of who can perform what actions on certain resources in a system. It is a fundamental security mechanism to define and enforce access policies.

Access token

An access token is a credential used to access protected resources on behalf of an identity (e.g., user or service). It is a bearer token that grants access to resources based on the token's scopes (permissions).

API key

An API key is a unique identifier used to authenticate and authorize a client when accessing an API. It serves as a secret token included in API requests to verify the client’s identity and allow access to specific resources or services. API keys are typically used in server-to-server communications or when accessing public data.

Attribute-based access control (ABAC)

Attribute-based access control (ABAC) is an access control model that uses attributes (such as user roles, resource properties, and environmental conditions) to make access control decisions. It is a flexible and dynamic way to manage access to protected resources.

Audience

The audience claim in a token specifies the intended recipient, typically the client application or API resource. It ensures the token is used only by the correct service, enhancing security by preventing unauthorized access.

Auth (disambiguation)

The term "auth" is often used as an abbreviation for authentication or authorization. These concepts are related but fundamentally different.

Authentication

Authentication is the process of verifying the identity ownership (e.g. user or service). It is the foundation of identity and access management (IAM) systems and is essential for securing applications and services.

Authentication request

An authentication request is an OpenID Connect (OIDC) request for authenticating a user. It reuses the OAuth 2.0 authorization request and extends it to support authentication.

Authorization

Authorization is the process of determining what actions an identity can perform on a resource. It is a fundamental security mechanism to define and enforce access policies.

Authorization code flow

The authorization code flow is a secure OAuth 2.0 mechanism that enables applications to obtain access tokens on behalf of users. It involves user authentication, authorization code generation, and token exchange.

Authorization request

An authorization request is an OAuth 2.0 request for authorizing a client to access protected resources on behalf of a user. It is the first step of user authorization flows in OAuth 2.0.

Authorization server

An authorization server is a component of the OAuth 2.0 framework that issues access tokens to clients upon successful authentication and authorization. It is also the OpenID Provider (OP) in OpenID Connect (OIDC) that issues ID tokens to clients.

C

Claim

A claim in JSON Web Token (JWT) is a name-value pair that conveys specific information. In a wider context, a claim can be any name-value pair that represents information.

Client

In OAuth 2.0 and OpenID Connect (OIDC), a client is an application that requests authentication or authorization on behalf of a user or itself. Clients can be public or confidential (private), and they use different grant types to obtain tokens.

Client credentials flow

Client credentials flow is an OAuth 2.0 grant type that allows confidential clients to obtain access tokens to access protected resources. It is suitable for machine-to-machine (server-to-server) communication.

Cross-site request forgery (CSRF)

Cross-site request forgery (CSRF) is an attack that deceives users into executing unwanted actions on a web application in which they are authenticated. It is a common security vulnerability that can lead to unauthorized actions.

D

Device flow

OAuth 2.0 device authorization flow is a user-friendly sign-in method for input-limited devices or headless applications. By verifying a unique device code, making it possible for users to authorize the device via a secondary device with a full user interface.

E

Enterprise SSO

Enterprise Single Sign-On (SSO) is a specific type of SSO designed for employees within an organization.

H

Hybrid flow

The hybrid flow is an OpenID Connect (OIDC) flow that combines the authorization code flow and the implicit flow. It is designed to provide a balance between security and usability for authentication.

I

ID token

An ID token is a JSON Web Token (JWT) issued by an authorization server to a client application. It contains information about the authenticated user, such as their unique identifier and claims. This token is used to verify the user's identity and allows the client application to access protected resources on behalf of the user.

Identity and access management (IAM)

Identity and access management (IAM) is a broad concept that encompasses the processes, technologies, and policies used to manage digital identities and control access to resources. It is a fundamental aspect of security in modern applications and systems.

Identity provider (IdP)

Identity provider (IdP) is a service that manages identities. Modern identity providers support OpenID Connect (OIDC) for authentication and OAuth 2.0 for authorization.

Implicit flow

The OIDC implicit flow is a authentication method for SPAs, enabling them to quickly receive tokens directly from the authorization server. While it simplifies the process by eliminating the need for a backend server, it comes with lower security due to token exposure in the URL.

J

JSON Web Encryption (JWE)

JSON Web Encryption (JWE) is a standard way to encrypt and decrypt data in JSON format. It is often used to protect sensitive information in transitting JSON Web Tokens (JWTs).

JSON Web Key (JWK)

A JSON Web Key (JWK) is a JSON-based format used for representing cryptographic keys. When multiple JWKs need to be grouped together, they are organized into a JSON Web Key Set (JWKS).

JSON Web Signature (JWS)

JSON Web Signature (JWS) is a standard way to sign and verify data in JSON format. It is often used to ensure the integrity and authenticity of JSON Web Tokens (JWTs) in OpenID Connect (OIDC).

JSON Web Token (JWT)

JSON Web Token (JWT) is an open standard defined in RFC 7519 that enables secure communication between two parties. It is compact, URL-safe, and self-contained, making it ideal for transmitting authentication and authorization data between services.

Just-in-time (JIT) provisioning

Just-in-time (JIT) provisioning is an identity and access management (IAM) process where user accounts are created dynamically and automatically when a user attempts to access a system or application for the first time. This approach helps streamline the onboarding process and ensures that user accounts are only created when needed, reducing administrative overhead and improving security.

M

Machine-to-machine

Machine-to-machine (M2M) communication refers to the automated exchange of data between devices without human intervention. In the context of authentication and authorization, M2M communication often involves a client application that needs to access resources, where the client application is a machine (service) or a machine acting on behalf of a user.

Magic link

Magic link is a one-time URL that can be used to complete authentication process.

Management API

The Management API in the context of identity and access management (IAM) allows for programmatic management of resources such as users, applications, roles, and permissions. Typically RESTful, it provides an abstraction layer between the IAM system and the user interface, enabling automation, integration, and custom feature development.

Multi-factor authentication (MFA)

Multi-factor authentication (MFA) is a security mechanism that requires users to provide at least two forms of identification to complete the authentication process. It adds an extra layer of security that significantly reduces the risk of unauthorized access.

Multi-tenancy

Multi-tenancy is a software architecture where a single application instance serves multiple customers (tenants), keeping their data isolated and secure. It’s common in cloud computing and SaaS to optimize resources and simplify maintenance.

O

OAuth 2.0

OAuth 2.0 is a widely used authorization framework that allows an application (client) to obtain limited access to protected resources on behalf of a user or the application itself.

OAuth 2.0 grant

An OAuth 2.0 authorization grant (sometimes referred to as an "OAuth 2.0 grant type" or "OAuth 2.0 flow"), is a method used by clients to obtain an access token from an authorization server. It is an essential part for OAuth clients to authenticate and authorize identities.

OAuth 2.1

OAuth 2.1 is a proposed update to the OAuth 2.0 authorization framework that aims to improve security and usability by deprecating insecure flows and introducing new best practices.

Offline access

Offline access allows clients to obtain new access tokens without requiring the user to re-authenticate. It is useful for long-lived sessions and better user experience.

One-time password (OTP)

A One-time password (OTP) is a unique, temporary code that is used for a single transaction or sign-in session.

Opaque token

An opaque token is a type of token whose format is determined by the issuer, typically appearing as a string of characters or numbers, and requires validation by the issuer rather than containing all necessary information for direct validation.

OpenID Connect (OIDC)

OpenID Connect (OIDC) is an authentication (identity) layer on top of OAuth 2.0, allowing clients to authenticate users and obtain identity information in a standardized way.

OpenID Connect (OIDC) Discovery

OpenID Connect (OIDC) Discovery is a mechanism that allows clients to automatically discover the OpenID Provider's endpoints and configuration.

P

Passkey

Passkey is a phishing-resistant and convenient credential that replaces passwords which can be used for sign-in and multi-factor authentication.

Passwordless

Passwordless is an authentication method that allows users to sign in to computer systems without entering (or remembering) a password or any other knowledge-based secret.

Proof Key for Code Exchange (PKCE)

Proof Key for Code Exchange (PKCE) is a security extension for OAuth 2.0 that protects authorization codes from interception and misuse. It is enforced for all types of clients in OAuth 2.1.

R

Redirect URI

Redirect URI is a URI where the authorization server redirects the user-agent after an authorization request. It is an essential parameter in the OAuth 2.0 and OpenID Connect (OIDC) grants that involve user interaction.

Refresh token

A refresh token is a long-lived credential used to obtain new access tokens without requiring the user to re-authenticate. It is used to maintain user sessions and provide a better user experience.

Resource indicator

Resource indicator in OAuth 2.0 is an extension parameter defined in RFC 8707 that allows clients to specify the resource server's location in the authorization request. It provides a scalable way to handle multiple resource servers in a single authorization server.

Resource owner

A resource owner is an identity (usually a user) that has the ability to grant access to a protected resource. In OAuth 2.0, the resource owner can authorize the client to access its resources in a resource server on their behalf.

Resource server

Resource server refers to the server hosting the protected resources that the client wants to access. It also has the responsibility to verify the access tokens and serve the protected resources to the client.

Role

A role is a collection of permissions in access control systems that defines what actions users can perform, providing an efficient way to manage and assign access rights to users.

Role-based access control (RBAC)

Role-based access control (RBAC) is an access control model that assigns permissions to roles rather than directly to users, providing a flexible and efficient way to manage access rights in systems.

S

Scope

Scope defines the permissions that an application requests from a user to access their protected resources. It is a fundamental concept in OAuth 2.0 and OIDC that controls the level of access an application can have to a user's data.

Security Assertion Markup Language (SAML)

Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between identity providers and service providers.

Service provider (SP)

Service provider (SP) is an application or service that relies on an identity provider (IdP) for authentication and authorization.

Signing key

A signing key is a cryptographic key used to sign and verify JSON Web Tokens in OpenID Connect (OIDC). It is used to ensure the integrity and authenticity of the tokens issued by the OpenID provider.

Single sign-on (SSO)

Single sign-on (SSO) is an authentication method that allows users to access multiple systems with a single set of credentials. As a key component of identity and access management (IAM) systems, SSO is widely used in modern cloud-based applications and services, simplifying user access and enhancing security.

T

Time-based one-time password (TOTP)

A time-based one-time password (TOTP) is a temporary, unique code generated by an algorithm that uses the current time as a key factor.

Token introspection

Token introspection is an OAuth 2.0 extension that allows clients to query the authorization server to validate access tokens and retrieve metadata about them.

Token request

Token request refers to the OAuth 2.0 request for exchanging credentials (e.g., authorization code, refresh token) for a set of tokens, typically including one or more of the following: access token, ID token, or refresh token.

U

Userinfo endpoint

Userinfo endpoint is an OpenID Connect (OIDC) endpoint that provides user information to clients. It is a supplementary endpoint to the ID token and allows clients to retrieve additional user information.

W

WebAuthn

WebAuthn is an API for accessing public key credentials, facilitating the implementation of passkeys.

Webhook

Webhooks are a method for web applications to communicate with each other in real-time. They allow one application to send automated messages or information to another application when a specific event occurs. Unlike traditional APIs where one application needs to poll another for updates, webhooks push data to the receiving application as soon as the event happens.