Security, Authentication, Authorization and SSL

Table of Contents

Authentication vs. Authorization

In simple terms,

  1. authentication is the process of verifying who a user is, or the user proving who they are - using user id and password or some other way
  2. authorization is the process of verifying what they have access to, or ensuring that the user is permitted to perform an action

Comparing these processes to a real-world example, when you go through security in an airport, you show your ID to authenticate your identity. Then, when you arrive at the gate, you present your boarding pass to the flight attendant, so they can authorize you to board your flight and allow access to the plane.

Authentication Authorization
Determines whether users are who they claim to be Determines what users can and cannot access
Challenges the user to validate credentials (for example, through passwords, biometrics, authentication apps, one-time pins, answers to security questions) Verifies whether access is allowed through policies and rules
Usually done before authorization Usually done after successful authentication
Generally, transmits info through an ID Tokens Generally, transmits info through an Access Tokens
Generally governed by the OpenID Connect (OIDC) protocol Generally governed by the OAuth 2.0 framework
Example: Employees in a company are required to authenticate through the network before accessing their company email Example: After an employee successfully authenticates, the system determines what information the employees are allowed to access

Different ways

Keycloak authorization server -

  1. to secure the communication between services
  2. Identity and Access management
  3. Single Sign-on

OAuth2

  1. Delegated authorization with access token

OpenID Connect

  1. Authentication with ID Token

Bearer Tokens

  1. https://swagger.io/docs/specification/authentication/bearer-authentication/
  2. https://oauth.net/2/bearer-tokens/#

It means that the Bearer of this token is granted access. It means that anybody that has access to this access_token, has access to the API (and so, the data). There is no further authorization within a Bearer token. They are considered secure because of the fact that they are valid only for a limited time. If someone gets a hold of a Bearer token and they can use it, they can use it only for one hour before it expires.

Reading material

  1. https://www.keycloak.org/docs/latest/authorization_services/index.html
  2. https://auth0.com/docs/get-started/identity-fundamentals/authentication-and-authorization

Tags

  1. Understanding Google OAuth
  2. Understanding ID Token
  3. Understanding SSL
  4. Spring security
  5. Javascript - fetch requests with Bearer tokens

Links to this note