Web Security, SSO and Federation
There are already many resources available online explaining each of these things, and when to use what. Many analogies to understand web security standards. Internet is cool. So here is my effort to note down a few things about the trending topic in web: Security
TL;DR
Web Security needs a few things done(auth) there are a few ways to do them. It’s described below.
SSO is a way of using 1 account to login/authenticate with other websites/platforms. e.g. Google SSO for Evernote login.
Federation process of exchanging/hand-shaking information by establishing trust between two parties (mostly referred as service provider and Identity provider)
Holding on with me? Cool. We’re gonna cover
- Authentication & Authorization (🔐 since everybody starts from here)
- Types of Auth (in order of evolution 🐒 🚶💃)
Authentication & Authorization:
Authentication is just about identifying users. (A valid ID is enough).
Authorization is another level of security that suggests that a valid ID need clearance to access some resource.
you’re able to user view of a website because you’re authenticated, but to see admin panel you need to be authorised.
Before we get ourselves into trouble of knowing much. Let’s warm up with some jargons:
Assert: To validate a signed XML document with info about authentication(who signed, who authenticated etc)
JWT: JSON Web tokens
IAM: Identity & Access management
Let’s now discuss the…
Types
1. Basic Authentication:
- First of it’s kind
- suggests that you can just use some common data to authenticate yourself like uname/pass.
- But encode them in Base64 for common understanding
- And since encoding is still not safe, do it all over HTTPS
2. SAML (Security assertion ML)
- Oldest in this game
- Supports Authentication + Authorization both
- Uses XML, being born into the time when XML was cool!
- SP | IDP are involved parties. e.g: Grocery store is SP, your DL issuer is IDP.
- Provides SSO using assertion
- For security, we sign authentication data.
- Downside: It’s complex, to understand, implement.
3. OAuth2.0
- It’s all about Authorization(nothing specific for authentication)
- Use OpenID(protocol on top of OAuth2.0) for authentication
- no enforced encryption unlike basic auth. they’re cool with HTTP
- uname/pass is replaced with tokens, that’s passed in
authorization: bearer <access token> - Jargons: accessToken/refreshToken
4. JWT
- extension of OAuth2.0
- Authentication + Authorization + Security data(a claim)
- example of Security data: “Hey, name’s Kevin(authenticate me based on it). I want to enter Area 51!(Check if I’m authorised to pass the gate). But I’m not allowed to enter the secret chamber!(Security data) “
- Use:
authorization: bearer <jwt> - JWT here has
header.payload.signature
Glossary:
