avatarLORY

Summary

This context provides an overview of various authentication and authorization methods, including traditional login, LDAP, SAML, OpenID, OAuth2, and JWT.

Abstract

The context begins by explaining the difference between authentication and authorization, with authentication being the process of verifying a user's identity and authorization being the process of granting access to resources based on that identity. The traditional login process is discussed, along with its limitations, such as the need to reinvent the wheel for each new system. The context then introduces LDAP and AD as solutions for company-wide authentication, followed by SAML, which enables single sign-on (SSO) by decoupling the service provider (SP) and identity provider (IDP). OpenID and OAuth2 are also discussed, with OpenID focusing on authentication and OAuth2 on authorization. The use of refresh tokens is explained, along with the benefits of using JWT tokens in a distributed system. Finally, the context briefly mentions Kerberos as another authentication method.

Bullet points

  • Authentication is the process of verifying a user's identity, while authorization is the process of granting access to resources based on that identity.
  • Traditional login processes have limitations, such as the need to reinvent the wheel for each new system.
  • LDAP and AD are solutions for company-wide authentication.
  • SAML enables single sign-on (SSO) by decoupling the service provider (SP) and identity provider (IDP).
  • OpenID focuses on authentication, while OAuth2 focuses on authorization.
  • Refresh tokens can be used to extend the expiry window of access tokens.
  • JWT tokens are self-contained and can be used in a distributed system.
  • Kerberos is another authentication method.

All you need to know about login (SSO, LDAP, SAML, OAuth, OpenID)I was recently asked this question again: “What is the difference between authentication and authorization?”

Let’s touch all of them in this single post. walkthrough in 10 mins.

Back to the old-school

A quick explanation.

Login: Authentication (Who you are). before accessing any resource, you need a “token”. and of course, before login, you need to register first.

Token generation and verification: Authorization (What you can do). this is the step after logging in or renewing a token(using a refresh token). the token that is stored in db (or here could be a standalone IDP, which depends on the design) is valid for a certain time window.

So what is a token? — You can think of it as “an encrypted identity within a time window”. or, you can also treat it as either of below:

  • A movie or whatever ticket when watching a show
  • A “day pass” when you enter a building

So the problem with the above traditional flow is — to reinvent the wheel. Let’s think about 2 cases.

  • Company system (every company will have to build its own login)
  • Web application. every system there will be a “login module”. which is a big waste and disaster for the end user.

Let’s move on to see the solutions.

AD(1998) Login and LDAP (Lightweight Directory Access Protocol) (1993)

The short, LDAP is a protocol, and AD is an implementation of LDAP in the MS world.

So now let’s focus on LDAP to understand how the “company standard authentication flow” works.

The Org chart

So LDAP is designed for “company login and directory search” quickly.

  • Stores an “organization tree” (directory) for every staff.
  • combined with username/password validation becomes an “LDAP search”.

The LDAP login flow

As you can see, the LDAP flow is not that complicated. highlight 2 things.

  • Directory. An org tree that stores staff information for quick search (tree structure For quick search).
  • Username Password “validation”(bind) process

Let’s move on.

SAML(2005)

SAML(Security Assertion Markup Language) is a protocol that first implemented SSO (Single sign-on) data transfer using XML format. if we look at single sign-on itself, the biggest achievement of SAML is to decouple the SP(Service Provider) and IDP(Identity Provider)

Once decoupled SP and IDP the login flow is now “reusible”. SSO brings 2 values

  • Build IDP once and reuse for SP
  • Single login “session”

OpenID(2007) and OAuth2 (2012)

Let’s look at one example.

Above is a combination of OpenID (#1 to #7) with OAuthn2. OpenID focuses on authentication (who you are) and OAuth2 focuses on Authorization (what resource you can access).

So as you can see. Oauth2 focus is a bit different from SAML. SAML decouples the IDP from SP so that one login protocol can be reused for all. OAuth2 here kind of “extended” the SAML.

  • Using OpenID to arrive SSO. one login, everywhere.
  • It uses JSON (dev like JSON hates XML, I assume we dev all agreed on this)
  • granular control. (What can be accessed)

Refresh token

What’s the point of a “refresh token”? I have been always asked this question.

The use case is usually to extend the ‘access token’ expiry window. then I was often asked, “Can we always use a username/password login to get a new access token every time when expires?”

Yes, but not recommended. because the system security will be brought down.

  • The user credential has to be passed through the network very often (every 20 minutes or less).
  • You made the expiry date very long to avoid the above which increased the risk of the system (once the token was stolen by the man in the middle).

JWT (2010)

But wait. what about the JWT token? can JWT be used in OAuth2?

Let’s assume the above token is a “random string” generated by IDP and stored in a database or some cache. what’s the first problem you could think of?

yes, bottleneck of centralization service(server). JWT comes to address this problem:

  • Decentralization. Fit in a distributed system.
  • It is self-contained token information, which reduces server load
  • Separation of token Issuing and token validation process improves both security and flexibility and also performance.
  • The usage of strong cryptographic algorithms(e.g. elliptic curve cryptography (ECC)) improves cyber security.

In short JWT itself is another topic, you may refer to my earlier post here.

Kerberos (1988)

You may refer to my earlier post here.

Last

Please let me if anything I have missed or any interesting topic you want to discuss.

Thanks for reading and see you in the next post.

Software Development
Software Engineering
Login
Authentication
Security
Recommended from ReadMedium
avatarHarendra
How I Am Using a Lifetime 100% Free Server

Get a server with 24 GB RAM + 4 CPU + 200 GB Storage + Always Free

5 min read
avatarDr Milan Milanović
How does Single Sign-On (SSO) work?

Single Sign-On (SSO) is an authentication process that allows users to access multiple applications with a single login. This is…

7 min read
avatarThe Coding Diaries
Why Experienced Programmers Fail Coding Interviews

A friend of mine recently joined a FAANG company as an engineering manager, and found themselves in the position of recruiting for…

5 min read
avatarThe Secret Developer
The Real Reason We Still Need Software Developers in the World of AI

The dream of AI churning out perfect production-ready code doesn’t hold up against the reality of modern software development.

4 min read
avatarDmytro Nasyrov | Pharos Production | Founder & CTO
Authentication & Authorization. OAuth 2.0, OpenID Connect, and SSO. Part 2

OpenID Connect

8 min read
avatarShalitha Suranga
Things Senior Programmers Never Do

Protect your reputation by not doing these things during programming

9 min read