Logo Logo
GitHub Designed by Logto

A

Access control

Access control is the restriction of who can perform what actions on certain resources in a system. It is a fundamental security mechanism to define and enforce access policies.


Learn more

Access token

An access token is a credential used to access protected resources on behalf of an identity (e.g., user or service). It is a bearer token that grants access to resources based on the token's scopes (permissions).


Learn more

API key

An API key is a unique identifier used to authenticate and authorize a client when accessing an API. It serves as a secret token included in API requests to verify the client’s identity and allow access to specific resources or services. API keys are typically used in server-to-server communications or when accessing public data.


Learn more

Attribute-based access control (ABAC)

Attribute-based access control (ABAC) is an access control model that uses attributes (such as user roles, resource properties, and environmental conditions) to make access control decisions. It is a flexible and dynamic way to manage access to protected resources.


Learn more

Audience

The audience claim in a token specifies the intended recipient, typically the client application or API resource. It ensures the token is used only by the correct service, enhancing security by preventing unauthorized access.


Learn more

Auth (disambiguation)

The term "auth" is often used as an abbreviation for authentication or authorization. These concepts are related but fundamentally different.


Learn more

Authentication (AuthN)

Authentication is the process of verifying the identity ownership (e.g. user or service). It is the foundation of identity and access management (IAM) systems and is essential for securing applications and services.


Learn more

Authentication request

An authentication request is an OpenID Connect (OIDC) request for authenticating a user. It reuses the OAuth 2.0 authorization request and extends it to support authentication.


Learn more

Authorization

Authorization is the process of determining what actions an identity can perform on a resource. It is a fundamental security mechanism to define and enforce access policies.


Learn more

Authorization code flow

The authorization code flow is a secure OAuth 2.0 mechanism that enables applications to obtain access tokens on behalf of users. It involves user authentication, authorization code generation, and token exchange.


Learn more

Authorization request

An authorization request is an OAuth 2.0 request for authorizing a client to access protected resources on behalf of a user. It is the first step of user authorization flows in OAuth 2.0.


Learn more

Authorization server

An authorization server is a component of the OAuth 2.0 framework that issues access tokens to clients upon successful authentication and authorization. It is also the OpenID Provider (OP) in OpenID Connect (OIDC) that issues ID tokens to clients.


Learn more

C

Claim

A claim in JSON Web Token (JWT) is a name-value pair that conveys specific information. In a wider context, a claim can be any name-value pair that represents information.


Learn more

Client

In OAuth 2.0 and OpenID Connect (OIDC), a client is an application that requests authentication or authorization on behalf of a user or itself. Clients can be public or confidential (private), and they use different grant types to obtain tokens.


Learn more

Client credentials flow

Client credentials flow is an OAuth 2.0 grant type that allows confidential clients to obtain access tokens to access protected resources. It is suitable for machine-to-machine (server-to-server) communication.


Learn more

Cross-site request forgery (CSRF)

Cross-site request forgery (CSRF) is an attack that deceives users into executing unwanted actions on a web application in which they are authenticated. It is a common security vulnerability that can lead to unauthorized actions.


Learn more

Cryptographically secure pseudorandom number generator

A cryptographically secure pseudorandom number generator (CSPRNG) is a pseudorandom number generator that generates random numbers that are suitable for use in cryptographic applications where the security of the data is important.


Learn more

D

Device flow

OAuth 2.0 device authorization flow is a user-friendly sign-in method for input-limited devices or headless applications. By verifying a unique device code, making it possible for users to authorize the device via a secondary device with a full user interface.


Learn more

E

Enterprise SSO

Enterprise single sign-on (SSO) is a specific type of SSO designed for employees within an organization.


Learn more

eXtensible Access Control Markup Language (XACML)

eXtensible Access Control Markup Language (XACML) is an XML-based language for expressing access control policies. It is primarily used to implement attribute-based access control (ABAC) policies.


Learn more

H

Hybrid flow

The hybrid flow is an OpenID Connect (OIDC) flow that combines the authorization code flow and the implicit flow. It is designed to provide a balance between security and usability for authentication.


Learn more

I

ID token

An ID token is a JSON Web Token (JWT) issued by an authorization server to a client application. It contains information about the authenticated user, such as their unique identifier and claims. This token is used to verify the user's identity and allows the client application to access protected resources on behalf of the user.


Learn more

Identity and access management (IAM)

Identity and access management (IAM) is a broad concept that encompasses the processes, technologies, and policies used to manage digital identities and control access to resources. It is a fundamental aspect of security in modern applications and systems.


Learn more

Identity provider (IdP)

Identity provider (IdP) is a service that manages identities. Modern identity providers support OpenID Connect (OIDC) for authentication and OAuth 2.0 for authorization.


Learn more

Implicit flow

The OIDC implicit flow is a authentication method for SPAs, enabling them to quickly receive tokens directly from the authorization server. While it simplifies the process by eliminating the need for a backend server, it comes with lower security due to token exposure in the URL.


Learn more

J

JSON Web Encryption (JWE)

JSON Web Encryption (JWE) is a standard way to encrypt and decrypt data in JSON format. It is often used to protect sensitive information in transitting JSON Web Tokens (JWTs).


Learn more

JSON Web Key (JWK)

A JSON Web Key (JWK) is a JSON-based format used for representing cryptographic keys. When multiple JWKs need to be grouped together, they are organized into a JSON Web Key Set (JWKS).


Learn more

JSON Web Signature (JWS)

JSON Web Signature (JWS) is a standard way to sign and verify data in JSON format. It is often used to ensure the integrity and authenticity of JSON Web Tokens (JWTs) in OpenID Connect (OIDC).


Learn more

JSON Web Token (JWT)

JSON Web Token (JWT) is an open standard defined in RFC 7519 that enables secure communication between two parties. It is compact, URL-safe, and self-contained, making it ideal for transmitting authentication and authorization data between services.


Learn more

Just-in-time (JIT) provisioning

Just-in-time (JIT) provisioning is an identity and access management (IAM) process where user accounts are provisioned dynamically when a user signs in for the first time.


Learn more

M

Machine-to-machine

Machine-to-machine (M2M) communication refers to the automated exchange of data between devices without human intervention. In the context of authentication and authorization, M2M communication often involves a client application that needs to access resources, where the client application is a machine (service) or a machine acting on behalf of a user.


Learn more

Magic link

Magic link is a one-time URL that can be used to complete authentication process.


Learn more

Management API

The Management API in the context of identity and access management (IAM) allows for programmatic management of resources such as users, applications, roles, and permissions. Typically RESTful, it provides an abstraction layer between the IAM system and the user interface, enabling automation, integration, and custom feature development.


Learn more

Multi-factor authentication (MFA)

Multi-factor authentication (MFA) is a security mechanism that requires users to provide at least two forms of identification to complete the authentication process. It adds an extra layer of security that significantly reduces the risk of unauthorized access.


Learn more

Multi-tenancy

Multi-tenancy is a software architecture where a single application instance serves multiple customers (tenants), keeping their data isolated and secure. It’s common in cloud computing and SaaS to optimize resources and simplify maintenance.


Learn more

O

OAuth 2.0

OAuth 2.0 is a widely used authorization framework that allows an application (client) to obtain limited access to protected resources on behalf of a user or the application itself.


Learn more

OAuth 2.0 grant

An OAuth 2.0 authorization grant (sometimes referred to as an "OAuth 2.0 grant type" or "OAuth 2.0 flow"), is a method used by clients to obtain an access token from an authorization server. It is an essential part for OAuth clients to authenticate and authorize identities.


Learn more

OAuth 2.1

OAuth 2.1 is a proposed update to the OAuth 2.0 authorization framework that aims to improve security and usability by deprecating insecure flows and introducing new best practices.


Learn more

Offline access

Offline access allows clients to obtain new access tokens without requiring the user to re-authenticate. It is useful for long-lived sessions and better user experience.


Learn more

One-time password (OTP)

A One-time password (OTP) is a unique, temporary code that is used for a single transaction or sign-in session.


Learn more

Opaque token

An opaque token is a type of token whose format is determined by the issuer, typically appearing as a string of characters or numbers, and requires validation by the issuer rather than containing all necessary information for direct validation.


Learn more

OpenID Connect (OIDC)

OpenID Connect (OIDC) is an authentication (identity) layer on top of OAuth 2.0, allowing clients to authenticate users and obtain identity information in a standardized way.


Learn more

OpenID Connect (OIDC) Discovery

OpenID Connect (OIDC) Discovery is a mechanism that allows clients to automatically discover the OpenID Provider's endpoints and configuration.


Learn more

P

Passkey

Passkey is a phishing-resistant and convenient credential that replaces passwords which can be used for sign-in and multi-factor authentication.


Learn more

Passwordless

Passwordless is an authentication method that allows users to sign in to computer systems without entering (or remembering) a password or any other knowledge-based secret.


Learn more

Proof Key for Code Exchange (PKCE)

Proof Key for Code Exchange (PKCE) is a security extension for OAuth 2.0 that protects authorization codes from interception and misuse. It is enforced for all types of clients in OAuth 2.1.


Learn more

R

Redirect URI

Redirect URI is a URI where the authorization server redirects the user-agent after an authorization request. It is an essential parameter in the OAuth 2.0 and OpenID Connect (OIDC) grants that involve user interaction.


Learn more

Refresh token

A refresh token is a long-lived credential used to obtain new access tokens without requiring the user to re-authenticate. It is used to maintain user sessions and provide a better user experience.


Learn more

Resource indicator

Resource indicator in OAuth 2.0 is an extension parameter defined in RFC 8707 that allows clients to specify the resource server's location in the authorization request. It provides a scalable way to handle multiple resource servers in a single authorization server.


Learn more

Resource owner

A resource owner is an identity (usually a user) that has the ability to grant access to a protected resource. In OAuth 2.0, the resource owner can authorize the client to access its resources in a resource server on their behalf.


Learn more

Resource server

Resource server refers to the server hosting the protected resources that the client wants to access. It also has the responsibility to verify the access tokens and serve the protected resources to the client.


Learn more

Role

A role is a core concept in role-based access control (RBAC) systems, representing a collection of permissions that defines what actions users can perform, providing an efficient way to manage and assign access rights to users.


Learn more

Role-based access control (RBAC)

Role-based access control (RBAC) is an access control model that assigns permissions to roles rather than directly to users, providing a flexible and efficient way to manage access rights in systems.


Learn more

S

Scope

Scope defines the permissions that an application requests from a user to access their protected resources. It is a fundamental concept in OAuth 2.0 and OIDC that controls the level of access an application can have to a user's data.


Learn more

Security Assertion Markup Language (SAML)

Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between identity providers and service providers.


Learn more

Service provider (SP)

Service provider (SP) is an application or service that relies on an identity provider (IdP) for authentication and authorization.


Learn more

Signing key

A signing key is a cryptographic key used to sign and verify JSON Web Tokens in OpenID Connect (OIDC). It is used to ensure the integrity and authenticity of the tokens issued by the OpenID provider.


Learn more

Single sign-on (SSO)

Single sign-on (SSO) is an authentication method that allows users to access multiple systems with a single set of credentials.


Learn more

T

Time-based one-time password (TOTP)

A time-based one-time password (TOTP) is a temporary, unique code generated by an algorithm that uses the current time as a key factor.


Learn more

Token introspection

Token introspection is an OAuth 2.0 extension that allows clients to query the authorization server to validate access tokens and retrieve metadata about them.


Learn more

Token request

Token request refers to the OAuth 2.0 request for exchanging credentials (e.g., authorization code, refresh token) for a set of tokens, typically including one or more of the following: access token, ID token, or refresh token.


Learn more

U

Userinfo endpoint

Userinfo endpoint is an OpenID Connect (OIDC) endpoint that provides user information to clients. It is a supplementary endpoint to the ID token and allows clients to retrieve additional user information.


Learn more

W

WebAuthn

WebAuthn is an API for accessing public key credentials, facilitating the implementation of passkeys.


Learn more

Webhook

Webhooks are a method for web applications to communicate with each other in real-time. They allow one application to send automated messages or information to another application when a specific event occurs.


Learn more