Tuesday, January 27, 2015

Authorization vs Authentication, Thinktecture IdentityServer

thinktecture/Thinktecture.AuthorizationServer @ GitHub

IdentityServer/Thinktecture.IdentityServer3 @ GitHub
"IdentityServer is a framework and a hostable component that allows implementing single sign-on and access control for modern web applications and APIs using protocols like OpenID Connect and OAuth2. It supports a wide range of clients like mobile, web, SPAs and desktop applications and is extensible to allow integration in new and existing architectures.

Watch this for the big picture: Introduction to OpenID Connect, OAuth2 and IdentityServer.
Go to the documenation site.
OpenID Connect specification / OAuth2 specification

IdentityServer is designed as an (Microsoft .NET) OWIN/Katana component. By referencing the library or nuget you get a UseIdentityServer extension method for IAppBuilder that allows setting up IdentityServer in your OWIN host" 
(and it could run on Linux and Mac)

Authentication vs. Authorization @ Microsoft TechNet

  • "Authentication is used by a server when the server needs to know exactly who is accessing their information or site.
  • Authorization is a process by which a server determines if the client has permission to use a resource or access a file.
    Authorization is usually coupled with authentication so that the server has some concept of who the client is that is requesting access"

OpenID Connect | OpenID
"OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner."

OAuth 2.0 — OAuth
"OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices."

ASP.NET 4.5 has options for external authentication by Google, Microsoft Live, Facebook.
That is very useful for human users and web application, but for mobile apps there is a need for access control to Web APIs: access authorization based on tokens. 
When there are more than one app or web site granting access to each separately is inconvenient. 
IdentityServer could help.

Authentication and Authorization in ASP.NET Web API | The ASP.NET Site

Azure Website's "Easy Authentication and Authorization" with Chris Gillum

No comments: