by Ryan Boyd
Why not username & password?
- Trust
- Decreased user sensitivity to phising
- Expand access & risk
- Limited reliability
- Revocation challenges
- Passwords become required
- Difficulty implementing stronger authentication
Authentication & Authorization
- Authentication: verify the identity of the user
- Federated Authentication: rely on other services to do the authentication (openID connect on top of OAuth 2.0)
- Authorization: right to perform some action
- Delegated authorization: granting access to another person or application to perform actions on your behalf
Roles
- Resource server: server containing the protected data
- Resource owner: user that has ability to grant access to the server
- Client: application making api requests to perform actions on server
- Authorization server: gets consent from resource owner and issues access tokens to clients for accessing protected resources