Authorization and authentication are two distinct concepts that are often used interchangeably but have different meanings in the context of computer security.
Authentication is the process of verifying the identity of a user or system, typically through the use of credentials such as a username and password, biometric data, or security tokens. It ensures that only authorized individuals or entities have access to a system, network, or application. Authentication is a fundamental security measure that helps prevent unauthorized access and protects sensitive information from being compromised.
Authorization, on the other hand, is the process of granting or denying access to specific resources or actions based on the authenticated user's identity, privileges, and permissions. It determines what actions a user is allowed to perform and what resources they can access. Authorization ensures that users are granted only the privileges necessary to perform their assigned tasks and prevents them from accessing sensitive data or performing actions that could compromise system security.
In summary, authentication is about verifying who you are, while authorization is about determining what you are allowed to do based on your identity and privileges.
Single sign-on (SSO) is a mechanism that allows users to authenticate their identity and access privileges to multiple websites, services, or apps by using just one set of login credentials. SSO uses a central authentication server that manages user credentials and provides a single point of access to multiple applications. With SSO, users only need to authenticate once, using a single set of login credentials, and subsequent access to other applications or services is granted automatically.
SSO simplifies the user experience, as users don't have to remember multiple usernames and passwords or spend time logging in and out of different systems. It can also enhance security by reducing the risk of password reuse, phishing attacks, and other security vulnerabilities associated with weak or compromised passwords. However, it creates increased security risks by creating a single point of failure. If the username and password that are used for SSO are compromised, so is the user's access to all the sites, apps, and services they used it to log in to--as well as all the data held by those third parties.
There are several types of SSO systems, including:
Web Authentication API (WebAuthn)
The Web Authentication API (also known as WebAuthn) is a specification written by the World Wide Web Consortium (W3C) and The Fast IDentity Online Alliance, known as FIDO, with the participation of Google, Mozilla, Microsoft, Yubico, and others. The API allows servers to register and authenticate users with public-key cryptography instead of a password.
OAuth is an open standard for authorization that allows users to grant third-party applications access to their resources without sharing their credentials. It provides a secure and standardized way for users to grant permission to access their resources, such as photos, contacts, or other data, to other websites or applications, without sharing their usernames and passwords. OAuth uses tokens to grant access, which can be revoked at any time by the user, providing a more secure and convenient alternative to traditional password-based authentication. OAuth is widely used by major technology companies, including Facebook, Google, and Twitter, and is an important component of modern web and mobile application development.
OAuth 2 is a newer version of OAuth that simplifies the authorization process and provides better support for mobile and cloud-based applications. It introduces new concepts, such as access tokens and scopes, to make it easier to implement and use. OAuth 2 also supports various types of authorization flows, including implicit, authorization code, client credentials, and resource owner password credentials. These flows allow for more flexibility in the authorization process, making it easier for developers to integrate OAuth into their applications.
OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. This comes to form a simple identity layer on top of the OAuth 2.0 protocol.
OpenID Connect lets websites and apps authenticate their users across other websites and apps without having to own and manage password files. For the app builder or website owner, it provides a secure, verifiable answer to the question: “What is the identity of the person currently using the browser or native app that is connected to me?” In other words, it lets app and website owners authenticate users without taking on the responsibility of storing and managing passwords and the associated security and legal risk of custodying personal data.
OpenID for Verifiable Credentials (OpenID4VC)
OpenID for Verifiable Credentials is a way to decouple the issuance and presentation of credentials to enable a user to directly present identity claims to a relying party.
OAuth is a protocol that allows users to grant third-party applications access to their resources without giving away their login credentials. It is commonly used by web applications and APIs to grant access to user data from other services such as social media sites, email providers, and cloud storage platforms. OAuth allows authorization, meaning it allows access to specific resources without the need for the user to share their login credentials.
Single sign-on (SSO), on the other hand, is a mechanism that allows users to authenticate their identity and access privileges to multiple websites, services, or apps by using just one set of login credentials. SSO uses a central authentication server that manages user credentials and provides a single point of access to multiple applications. With SSO, users only need to authenticate once, using a single set of login credentials, and subsequent access to other applications or services is granted automatically.
While Authorization (OAuth) and Authentication (SSO) are different, they can combine to greater effect. For example, a user can authenticate themselves through an SSO system and then use OAuth to authorize access to their resources to a third-party application without having to log in again. More simply: SSO provides authentication, OAuth provides authorization for a third-party app to access the user's resources.
