Digital Identity?
A person’s digital identity is the set of attributes that characterize them. Examples include an individual’s physical characteristics (hair colour, eye colour or skin colour), qualifications, place of birth or political affiliation. All of this information can be used to identify a person online.
Fortunately for us, this information is not held by a unique entity. No single online service is going to know all of a person’s identity attributes. The information is spread across all the services that one can use on the Internet.
With the increase in the use of web and mobile services, the use of digital identity is increasing. The same person can have many identities. All these identities will want to use different services and potentially communicate with each other to share information.
A person may be a member of one or more social networks. They will need to be able to add contacts from their mailbox or phone. They may also be a customer of a bank. The person will need to see the balance of their account, to transfer money. The same person may be a citizen of a country and want to declare their taxes on the web or on a mobile application.
These are all different organizations that will communicate with each other to share information about the user.
We can ask ourselves: How can the services communicate with each other? How can they share information about a user and do it securely?
We need to build a system that simplifies the management of a user’s various digital identities, to avoid duplicating this information. Data that the user has potentially filled in with another service. For example, a user who has an account on a social network and wants to import his contacts from another network. How can they import these contacts without having to add them one by one?
To address this need and to standardize the way of communicating between the different services, open protocols as SAML or OAuth have been created. These protocols do not belong to any company. They are standards to be followed.
The most famous are :
- SAML (Security Assertion Markup Language): allows the user to authenticate once (sign-on) and to access several resources. This protocol is very widespread and has enabled centralized user management.
- OAuth2.0: allows a user to authorize an application to access the resources of another service.
- OIDC (Open ID Connect): based on OAuth2.0, allows a user to be authenticated.
- JWT (JSON Web Token): allows the secure exchange of tokens between several services.
These standards are intended to define :
- the roles of the different applications and providers
- how the roles will interact with each other. And above all, to communicate identity and resource attributes securely.
Let’s take the OAuth2 standard and try to understand how it works.
Example: we have our user Emma, who has just created an account on the professional network LinkedIn. She wants to import these contacts via her Gmail account. To do this, LinkedIn will use the OAuth 2 protocol to be able to request permission to access these Gmail contacts.
Emma will connect to LinkedIn, which will request to import these Gmail contacts. After authorizing LinkedIn to access these contacts. Gmail will provide access to the resource so that LinkedIn can display it to Emma.
The notion of permission represent the fact of authorizing a service (in this case LinkedIn) to access part of the Gmail resources (the contacts). The permission given by the user is not full access. In this example, the LinkedIn platform has access to Gmail contact list, but not to emails.
Like a holiday rental, you don’t have access to the whole house. You only have access to the parts of the house to which you have been granted access. You can use the living room, the toilets, the bedrooms and the terrace. You will not have access to the cellar and some private rooms.
The OAuth2 flow may sound simple, but it’s a bit more complex than that. We’ll look at the communication flow between Emma, the LinkedIn application and the Gmail application in detail in the article on the OAuth2 protocol.
Article to be continued:
