A
Access control
Access control is the restriction of who can perform what actions on certain resources in a system. It is a fundamental security mechanism to define and enforce access policies.
Access token
An access token is a credential used to access protected resources on behalf of an identity (e.g., user or service). It is a bearer token that grants access to resources based on the token's scopes (permissions).
API key
An API key is a secret token used to authenticate clients accessing an API. It verifies identity and controls access to specific resources, commonly used in server-to-server communications or public data access.
Attribute-based access control (ABAC)
Attribute-based access control (ABAC) is an access control model that uses attributes (such as user roles, resource properties, and environmental conditions) to make access control decisions. It is a flexible and dynamic way to manage access to protected resources.
Audience
The audience claim in a token specifies the intended recipient, typically the client application or API resource. It ensures the token is used only by the correct service, enhancing security by preventing unauthorized access.
Auth (disambiguation)
The term "auth" is often used as an abbreviation for authentication or authorization. These concepts are related but fundamentally different.
Authentication (AuthN)
Authentication is the process of verifying the identity ownership (e.g. user or service). It is the foundation of identity and access management (IAM) systems and is essential for securing applications and services.
Authentication request
An authentication request is an OpenID Connect (OIDC) request for authenticating a user. It reuses the OAuth 2.0 authorization request and extends it to support authentication.
Authorization
Authorization is the process of determining what actions an identity can perform on a resource. It is a fundamental security mechanism to define and enforce access policies.
Authorization code flow
The authorization code flow is a secure OAuth 2.0 mechanism that enables applications to obtain access tokens on behalf of users. It involves user authentication, authorization code generation, and token exchange.
Authorization request
An authorization request is an OAuth 2.0 request for authorizing a client to access protected resources on behalf of a user. It is the first step of user authorization flows in OAuth 2.0.
Authorization server
An authorization server is a component of the OAuth 2.0 framework that issues access tokens to clients upon successful authentication and authorization. It is also the OpenID Provider (OP) in OpenID Connect (OIDC) that issues ID tokens to clients.
C
Claim
A claim in JSON Web Token (JWT) is a name-value pair that conveys specific information. In a wider context, a claim can be any name-value pair that represents information.
Client
In OAuth 2.0 and OpenID Connect (OIDC), a client is an application that requests authentication or authorization on behalf of a user or itself. Clients can be public or confidential (private), and they use different grant types to obtain tokens.
Client credentials flow
Client credentials flow is an OAuth 2.0 grant type that allows confidential clients to obtain access tokens to access protected resources. It is suitable for machine-to-machine (server-to-server) communication.
Cross-site request forgery (CSRF)
Cross-site request forgery (CSRF) is an attack that deceives users into executing unwanted actions on a web application in which they are authenticated. It is a common security vulnerability that can lead to unauthorized actions.
Cryptographically secure pseudorandom number generator
A cryptographically secure pseudorandom number generator (CSPRNG) is a pseudorandom number generator that generates random numbers that are suitable for use in cryptographic applications where the security of the data is important.
D
Device flow
OAuth 2.0 device authorization flow is a user-friendly sign-in method for input-limited devices or headless applications. By verifying a unique device code, making it possible for users to authorize the device via a secondary device with a full user interface.
E
Enterprise SSO
Enterprise single sign-on (SSO) is a specific type of SSO designed for employees within an organization.
eXtensible Access Control Markup Language (XACML)
eXtensible Access Control Markup Language (XACML) is an XML-based language for expressing access control policies. It is primarily used to implement attribute-based access control (ABAC) policies.
H
Hybrid flow
The hybrid flow is an OpenID Connect (OIDC) flow that combines the authorization code flow and the implicit flow. It is designed to provide a balance between security and usability for authentication.
I
ID token
An ID token is a JSON Web Token (JWT) issued by an authorization server to a client application. It contains information about the authenticated user, such as their unique identifier and claims. This token is used to verify the user's identity and allows the client application to access protected resources on behalf of the user.
Identity and access management (IAM)
Identity and access management (IAM) is a broad concept that encompasses the processes, technologies, and policies used to manage digital identities and control access to resources. It is a fundamental aspect of security in modern applications and systems.
Identity provider (IdP)
Identity provider (IdP) is a service that manages identities. Modern identity providers support OpenID Connect (OIDC) for authentication and OAuth 2.0 for authorization.
Implicit flow
Implicit flow is an authentication method that allows client-only applications (like SPAs and native apps) to receive tokens directly through URL fragments from the authorization server without providing a client secret.
J
JSON Web Encryption (JWE)
JSON Web Encryption (JWE) is a standard way to encrypt and decrypt data in JSON format. It is often used to protect sensitive information in transitting JSON Web Tokens (JWTs).
JSON Web Key (JWK)
A JSON Web Key (JWK) is a JSON-based format used for representing cryptographic keys. When multiple JWKs need to be grouped together, they are organized into a JSON Web Key Set (JWKS).
JSON Web Signature (JWS)
JSON Web Signature (JWS) is a standard way to sign and verify data in JSON format. It is often used to ensure the integrity and authenticity of JSON Web Tokens (JWTs) in OpenID Connect (OIDC).
JSON Web Token (JWT)
JSON Web Token (JWT) is an open standard defined in RFC 7519 that enables secure communication between two parties. It is compact, URL-safe, and self-contained, making it ideal for transmitting authentication and authorization data between services.
Just-in-time (JIT) provisioning
Just-in-time (JIT) provisioning is an identity and access management (IAM) process where user accounts are provisioned dynamically when a user signs in for the first time.
M
Machine-to-machine
Machine-to-machine (M2M) communication refers to the automated exchange of data between devices without human intervention. In the context of authentication and authorization, M2M communication often involves a client application that needs to access resources, where the client application is a machine (service) or a machine acting on behalf of a user.
Magic link
Magic link is a one-time URL that can be used to complete authentication process.
Management API
The Management API in the context of identity and access management (IAM) allows for programmatic management of resources such as users, applications, roles, and permissions. Typically RESTful, it provides an abstraction layer between the IAM system and the user interface, enabling automation, integration, and custom feature development.
Multi-factor authentication (MFA)
Multi-factor authentication (MFA) is a security mechanism that requires users to provide at least two forms of identification to complete the authentication process. It adds an extra layer of security that significantly reduces the risk of unauthorized access.
Multi-tenancy
Multi-tenancy is a software architecture where a single application instance serves multiple customers (tenants), keeping their data isolated and secure. It’s common in cloud computing and SaaS to optimize resources and simplify maintenance.
O
OAuth 2.0
OAuth 2.0 is a widely used authorization framework that allows an application (client) to obtain limited access to protected resources on behalf of a user or the application itself.
OAuth 2.0 grant
An OAuth 2.0 authorization grant (sometimes referred to as an "OAuth 2.0 grant type" or "OAuth 2.0 flow"), is a method used by clients to obtain an access token from an authorization server. It is an essential part for OAuth clients to authenticate and authorize identities.
OAuth 2.1
OAuth 2.1 is a proposed update to the OAuth 2.0 authorization framework that aims to improve security and usability by deprecating insecure flows and introducing new best practices.
Offline access
Offline access allows clients to obtain new access tokens without requiring the user to re-authenticate. It is useful for long-lived sessions and better user experience.
One-time password (OTP)
A One-time password (OTP) is a unique, automatically generated temporary password that can only be used once, and it is commonly used for a single transaction or sign-in session.
Opaque token
An opaque token is a random, unique string that is meaningless to the client but serves as a reference key to lookup authorization data in the server's database.
OpenID Connect (OIDC)
OpenID Connect (OIDC) is an authentication (identity) layer on top of OAuth 2.0, allowing clients to authenticate users and obtain identity information in a standardized way.
OpenID Connect (OIDC) Discovery
OpenID Connect (OIDC) Discovery is a mechanism that allows clients to automatically discover the OpenID Provider's endpoints and configuration.
P
Passkey
Passkey is a phishing-resistant and convenient credential that replaces passwords which can be used for sign-in and multi-factor authentication.
Passwordless authentication
Passwordless authentication is an authentication method that allows users to sign in to computer systems without entering (or remembering) a password or any other knowledge-based secret.
Proof Key for Code Exchange (PKCE)
Proof Key for Code Exchange (PKCE) is a security extension for OAuth 2.0 that protects authorization codes from interception and misuse. It is enforced for all types of clients in OAuth 2.1.
R
Redirect URI
Redirect URI is a URI where the authorization server redirects the user-agent after an authorization request. It is an essential parameter in the OAuth 2.0 and OpenID Connect (OIDC) grants that involve user interaction.
Refresh token
A refresh token is a long-lived credential used to obtain new access tokens without requiring the user to re-authenticate. It is used to maintain user sessions and provide a better user experience.
Resource indicator
Resource indicator in OAuth 2.0 is an extension parameter defined in RFC 8707 that allows clients to specify the resource server's location in the authorization request. It provides a scalable way to handle multiple resource servers in a single authorization server.
Resource owner
A resource owner is an identity (usually a user) that has the ability to grant access to a protected resource. In OAuth 2.0, the resource owner can authorize the client to access its resources in a resource server on their behalf.
Resource server
Resource server refers to the server hosting the protected resources that the client wants to access. It also has the responsibility to verify the access tokens and serve the protected resources to the client.
Role
A role is a core concept in role-based access control (RBAC) systems, representing a collection of permissions that defines what actions users can perform, providing an efficient way to manage and assign access rights to users.
Role-based access control (RBAC)
Role-based access control (RBAC) is an access control model that assigns permissions to roles rather than directly to users, providing a flexible and efficient way to manage access rights in systems.
S
Scope
Scope defines the permissions that an application requests from a user to access their protected resources. It is a fundamental concept in OAuth 2.0 and OIDC that controls the level of access an application can have to a user's data.
Security Assertion Markup Language (SAML)
Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between identity providers and service providers.
Service provider (SP)
Service provider (SP) is an application or service that relies on an identity provider (IdP) for authentication and authorization.
Signing key
A signing key is a cryptographic key used to sign and verify JSON Web Tokens in OpenID Connect (OIDC). It is used to ensure the integrity and authenticity of the tokens issued by the OpenID provider.
Single sign-on (SSO)
Single sign-on (SSO) is an authentication method that allows users to access multiple systems with a single set of credentials.
T
Time-based one-time password (TOTP)
A time-based one-time password (TOTP) is a temporary, unique code generated by an algorithm that uses the current time as a key factor.
Token introspection
Token introspection is an OAuth 2.0 extension that allows clients to query the authorization server to validate access tokens and retrieve metadata about them.
Token request
Token request refers to the OAuth 2.0 request for exchanging credentials (e.g., authorization code, refresh token) for a set of tokens, typically including one or more of the following: access token, ID token, or refresh token.
U
Userinfo endpoint
Userinfo endpoint is an OpenID Connect (OIDC) endpoint that provides user information to clients. It is a supplementary endpoint to the ID token and allows clients to retrieve additional user information.
W
WebAuthn
WebAuthn is an API for accessing public key credentials, facilitating the implementation of passkeys.
Webhook
Webhooks are a method for web applications to communicate with each other in real-time. They allow one application to send automated messages or information to another application when a specific event occurs.