In the previous article we discussed the problem of a client application accessing user data in a resource server.
It was simply the steps to:
- Request a resource from a server
- Being redirected to login page
Enter username and password
GET /login/ HTTP/1.1 Host: www.ehsankorhani.com Authorization: Basic aAJ0cKfgdGCoObE=
- Server will lookup user info
- Get access to protected page.
- Normally in the form of a Cookie
- Browser will send this Cookie in each subsequent request
Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT;
The encrypted text in authorization header is just a:
Providing basic authentication requires the back-end server to implement a user database with proper hashing and security measures. ASP.NET Identity is one of the Microsoft technologies to simplify this task.
So, basic authentication could solve the simple and direct user interaction with the Resource Server. But it cannot be very effective in these cases:
- Authenticating using accounts with other Identity providers.
- Delegating access and authorization to another application.
Delegated Authorization & Federated Authentication
It could be cumbersome for users to create an account for every application they use. Securing user info in database is another burden for owners of application.
In addition, how can we allow an application to lookup our data in a reource server or perform actions on our behalf?
These are the scenarios that Delegated Authorization & Federated Authentication are going to address.