A
Access control
Access control is the restriction of who can perform what actions on certain resources in a system. It is a fundamental security mechanism to define and enforce access policies.
Learn more
Access token
An access token is a credential used to access protected resources on behalf of an identity (e.g., user or service). It is a bearer token that grants access to resources based on the token's scopes (permissions).
Learn more
API key
An API key is a unique identifier used to authenticate and authorize a client when accessing an API. It serves as a secret token included in API requests to verify the client’s identity and allow access to specific resources or services. API keys are typically used in server-to-server communications or when accessing public data.
Learn more
Attribute-based access control (ABAC)
Attribute-based access control (ABAC) is an access control model that uses attributes (such as user roles, resource properties, and environmental conditions) to make access control decisions. It is a flexible and dynamic way to manage access to protected resources.
Learn more
Audience
The audience claim in a token specifies the intended recipient, typically the client application or API resource. It ensures the token is used only by the correct service, enhancing security by preventing unauthorized access.
Learn more
Auth (disambiguation)
The term "auth" is often used as an abbreviation for authentication or authorization. These concepts are related but fundamentally different.
Learn more
Authentication
Authentication is the process of verifying the identity ownership (e.g. user or service). It is the foundation of identity and access management (IAM) systems and is essential for securing applications and services.
Learn more
Authentication request
An authentication request is an OpenID Connect (OIDC) request for authenticating a user. It reuses the OAuth 2.0 authorization request and extends it to support authentication.
Learn more
Authorization
Authorization is the process of determining what actions an identity can perform on a resource. It is a fundamental security mechanism to define and enforce access policies.
Learn more
Authorization code flow
The authorization code flow is a secure OAuth 2.0 mechanism that enables applications to obtain access tokens on behalf of users. It involves user authentication, authorization code generation, and token exchange.
Learn more
Authorization request
An authorization request is an OAuth 2.0 request for authorizing a client to access protected resources on behalf of a user. It is the first step of user authorization flows in OAuth 2.0.
Learn more
Authorization server
An authorization server is a component of the OAuth 2.0 framework that issues access tokens to clients upon successful authentication and authorization. It is also the OpenID Provider (OP) in OpenID Connect (OIDC) that issues ID tokens to clients.
Learn more
C
Claim
A claim in JSON Web Token (JWT) is a name-value pair that conveys specific information. In a wider context, a claim can be any name-value pair that represents information.
Learn more
Client
In OAuth 2.0 and OpenID Connect (OIDC), a client is an application that requests authentication or authorization on behalf of a user or itself. Clients can be public or confidential (private), and they use different grant types to obtain tokens.
Learn more
Client credentials flow
Client credentials flow is an OAuth 2.0 grant type that allows confidential clients to obtain access tokens to access protected resources. It is suitable for machine-to-machine (server-to-server) communication.
Learn more
Cross-site request forgery (CSRF)
Cross-site request forgery (CSRF) is an attack that deceives users into executing unwanted actions on a web application in which they are authenticated. It is a common security vulnerability that can lead to unauthorized actions.
Learn more
Cryptographically secure pseudorandom number generator
A cryptographically secure pseudorandom number generator (CSPRNG) is a pseudorandom number generator that generates random numbers that are suitable for use in cryptographic applications where the security of the data is important.
Learn more
D
Device flow
OAuth 2.0 device authorization flow is a user-friendly sign-in method for input-limited devices or headless applications. By verifying a unique device code, making it possible for users to authorize the device via a secondary device with a full user interface.
Learn more
E
Enterprise SSO
Enterprise single sign-on (SSO) is a specific type of SSO designed for employees within an organization.
Learn more
eXtensible Access Control Markup Language (XACML)
eXtensible Access Control Markup Language (XACML) is an XML-based language for expressing access control policies. It is primarily used to implement attribute-based access control (ABAC) policies.
Learn more
H
Hybrid flow
The hybrid flow is an OpenID Connect (OIDC) flow that combines the authorization code flow and the implicit flow. It is designed to provide a balance between security and usability for authentication.
Learn more
I
ID token
An ID token is a JSON Web Token (JWT) issued by an authorization server to a client application. It contains information about the authenticated user, such as their unique identifier and claims. This token is used to verify the user's identity and allows the client application to access protected resources on behalf of the user.
Learn more
Identity and access management (IAM)
Identity and access management (IAM) is a broad concept that encompasses the processes, technologies, and policies used to manage digital identities and control access to resources. It is a fundamental aspect of security in modern applications and systems.
Learn more
Identity provider (IdP)
Identity provider (IdP) is a service that manages identities. Modern identity providers support OpenID Connect (OIDC) for authentication and OAuth 2.0 for authorization.
Learn more
Implicit flow
The OIDC implicit flow is a authentication method for SPAs, enabling them to quickly receive tokens directly from the authorization server. While it simplifies the process by eliminating the need for a backend server, it comes with lower security due to token exposure in the URL.
Learn more
J
JSON Web Encryption (JWE)
JSON Web Encryption (JWE) is a standard way to encrypt and decrypt data in JSON format. It is often used to protect sensitive information in transitting JSON Web Tokens (JWTs).
Learn more
JSON Web Key (JWK)
A JSON Web Key (JWK) is a JSON-based format used for representing cryptographic keys. When multiple JWKs need to be grouped together, they are organized into a JSON Web Key Set (JWKS).
Learn more
JSON Web Signature (JWS)
JSON Web Signature (JWS) is a standard way to sign and verify data in JSON format. It is often used to ensure the integrity and authenticity of JSON Web Tokens (JWTs) in OpenID Connect (OIDC).
Learn more
JSON Web Token (JWT)
JSON Web Token (JWT) is an open standard defined in RFC 7519 that enables secure communication between two parties. It is compact, URL-safe, and self-contained, making it ideal for transmitting authentication and authorization data between services.
Learn more
Just-in-time (JIT) provisioning
Just-in-time (JIT) provisioning is an identity and access management (IAM) process where user accounts are provisioned dynamically when a user signs in for the first time.
Learn more
M
Machine-to-machine
Machine-to-machine (M2M) communication refers to the automated exchange of data between devices without human intervention. In the context of authentication and authorization, M2M communication often involves a client application that needs to access resources, where the client application is a machine (service) or a machine acting on behalf of a user.
Learn more
Magic link
Magic link is a one-time URL that can be used to complete authentication process.
Learn more
Management API
The Management API in the context of identity and access management (IAM) allows for programmatic management of resources such as users, applications, roles, and permissions. Typically RESTful, it provides an abstraction layer between the IAM system and the user interface, enabling automation, integration, and custom feature development.
Learn more
Multi-factor authentication (MFA)
Multi-factor authentication (MFA) is a security mechanism that requires users to provide at least two forms of identification to complete the authentication process. It adds an extra layer of security that significantly reduces the risk of unauthorized access.
Learn more
Multi-tenancy
Multi-tenancy is a software architecture where a single application instance serves multiple customers (tenants), keeping their data isolated and secure. It’s common in cloud computing and SaaS to optimize resources and simplify maintenance.
Learn more
O
OAuth 2.0
OAuth 2.0 is a widely used authorization framework that allows an application (client) to obtain limited access to protected resources on behalf of a user or the application itself.
Learn more
OAuth 2.0 grant
An OAuth 2.0 authorization grant (sometimes referred to as an "OAuth 2.0 grant type" or "OAuth 2.0 flow"), is a method used by clients to obtain an access token from an authorization server. It is an essential part for OAuth clients to authenticate and authorize identities.
Learn more
OAuth 2.1
OAuth 2.1 is a proposed update to the OAuth 2.0 authorization framework that aims to improve security and usability by deprecating insecure flows and introducing new best practices.
Learn more
Offline access
Offline access allows clients to obtain new access tokens without requiring the user to re-authenticate. It is useful for long-lived sessions and better user experience.
Learn more
One-time password (OTP)
A One-time password (OTP) is a unique, temporary code that is used for a single transaction or sign-in session.
Learn more
Opaque token
An opaque token is a type of token whose format is determined by the issuer, typically appearing as a string of characters or numbers, and requires validation by the issuer rather than containing all necessary information for direct validation.
Learn more
OpenID Connect (OIDC)
OpenID Connect (OIDC) is an authentication (identity) layer on top of OAuth 2.0, allowing clients to authenticate users and obtain identity information in a standardized way.
Learn more
OpenID Connect (OIDC) Discovery
OpenID Connect (OIDC) Discovery is a mechanism that allows clients to automatically discover the OpenID Provider's endpoints and configuration.
Learn more
P
Passkey
Passkey is a phishing-resistant and convenient credential that replaces passwords which can be used for sign-in and multi-factor authentication.
Learn more
Passwordless
Passwordless is an authentication method that allows users to sign in to computer systems without entering (or remembering) a password or any other knowledge-based secret.
Learn more
Proof Key for Code Exchange (PKCE)
Proof Key for Code Exchange (PKCE) is a security extension for OAuth 2.0 that protects authorization codes from interception and misuse. It is enforced for all types of clients in OAuth 2.1.
Learn more
R
Redirect URI
Redirect URI is a URI where the authorization server redirects the user-agent after an authorization request. It is an essential parameter in the OAuth 2.0 and OpenID Connect (OIDC) grants that involve user interaction.
Learn more
Refresh token
A refresh token is a long-lived credential used to obtain new access tokens without requiring the user to re-authenticate. It is used to maintain user sessions and provide a better user experience.
Learn more
Resource indicator
Resource indicator in OAuth 2.0 is an extension parameter defined in RFC 8707 that allows clients to specify the resource server's location in the authorization request. It provides a scalable way to handle multiple resource servers in a single authorization server.
Learn more
Resource owner
A resource owner is an identity (usually a user) that has the ability to grant access to a protected resource. In OAuth 2.0, the resource owner can authorize the client to access its resources in a resource server on their behalf.
Learn more
Resource server
Resource server refers to the server hosting the protected resources that the client wants to access. It also has the responsibility to verify the access tokens and serve the protected resources to the client.
Learn more
Role
A role is a core concept in role-based access control (RBAC) systems, representing a collection of permissions that defines what actions users can perform, providing an efficient way to manage and assign access rights to users.
Learn more
Role-based access control (RBAC)
Role-based access control (RBAC) is an access control model that assigns permissions to roles rather than directly to users, providing a flexible and efficient way to manage access rights in systems.
Learn more
S
Scope
Scope defines the permissions that an application requests from a user to access their protected resources. It is a fundamental concept in OAuth 2.0 and OIDC that controls the level of access an application can have to a user's data.
Learn more
Security Assertion Markup Language (SAML)
Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between identity providers and service providers.
Learn more
Service provider (SP)
Service provider (SP) is an application or service that relies on an identity provider (IdP) for authentication and authorization.
Learn more
Signing key
A signing key is a cryptographic key used to sign and verify JSON Web Tokens in OpenID Connect (OIDC). It is used to ensure the integrity and authenticity of the tokens issued by the OpenID provider.
Learn more
Single sign-on (SSO)
Single sign-on (SSO) is an authentication method that allows users to access multiple systems with a single set of credentials.
Learn more
T
Time-based one-time password (TOTP)
A time-based one-time password (TOTP) is a temporary, unique code generated by an algorithm that uses the current time as a key factor.
Learn more
Token introspection
Token introspection is an OAuth 2.0 extension that allows clients to query the authorization server to validate access tokens and retrieve metadata about them.
Learn more
Token request
Token request refers to the OAuth 2.0 request for exchanging credentials (e.g., authorization code, refresh token) for a set of tokens, typically including one or more of the following: access token, ID token, or refresh token.
Learn more
U
Userinfo endpoint
Userinfo endpoint is an OpenID Connect (OIDC) endpoint that provides user information to clients. It is a supplementary endpoint to the ID token and allows clients to retrieve additional user information.
Learn more
W
WebAuthn
WebAuthn is an API for accessing public key credentials, facilitating the implementation of passkeys.
Learn more
Webhook
Webhooks are a method for web applications to communicate with each other in real-time. They allow one application to send automated messages or information to another application when a specific event occurs.
Learn more