Authentication and Authorization are an important concepts in any type of software development. Systems over network need a mechanism to allow or deny access to the protected resources.
Basic and Forms authentication approaches were sufficient enough if the Resource Owner (or User) wanted to access their own data on a remote server.
It was simply the steps to:
- Request a resource from a server
- Being redirected to login page
Enter username and password
GET /login/ HTTP/1.1 Host: www.ehsankorhani.com Authorization: Basic aAJ0cKfgdGCoObE=
- Server will lookup user info
- Get access to protected page.
- Normally in the form of a Cookie
- Browser will send this Cookie in each subsequent request
Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT;
The encrypted text in authorization header is just a:
Providing basic authentication requires the back-end server to implement a user database with proper hashing and security measures. ASP.NET Identity is one of the Microsoft technologies to simplify this task.
So, basic authentication could solve the simple and direct user interaction with the Resource Server. But it cannot be very effective in these cases:
- Authenticating using accounts with other Identity providers.
- Delegating access and authorization to another application.
Delegated Authorization & Federated Authentication
It could be cumbersome for users to create an account for every application they use. Securing user info in database is another burden for owners of application.
In addition, how can we allow an application to lookup our data in a reource server or perform actions on our behalf?
These are the scenarios that Delegated Authorization & Federated Authentication are going to address.