https://drive.google.com/file/d/1TIeK1rpQMfTS7lH_6Rf-Vjq5VeziDcQB/view?usp=sharing
====== Authentication & Authorization Technologies ======
This document explains common authentication and authorization technologies from beginner to advanced.
-----
====== Overview ======
Authentication answers:
Who are you?
Authorization answers:
What are you allowed to do?
Identity and access management ecosystem:
Identity & Access Management (IAM)
│
├── Authentication (Who are you?)
│ ├── Password-based (user proves identity using secret password)
│ ├── Session-based (server stores login state using session cookie)
│ ├── Token-based (stateless authentication using tokens)
│ │ ├── JWT (JSON Web Token format used to carry claims securely signed)
│ │ └── Opaque Token (random token validated by server lookup)
│ ├── API Key (static key used to identify and authenticate client apps)
│ ├── Basic Auth (username/password sent with each request in encoded form)
│ ├── Passkeys / WebAuthn (passwordless authentication using public-key cryptography)
│ └── MFA / 2FA (extra authentication layer requiring multiple factors)
│
├── Authorization (What can you do?)
│ ├── OAuth2 (delegated authorization framework that grants limited API access without sharing credentials)
│ ├── RBAC (Role-Based Access Control using roles to define permissions)
│ ├── ABAC (Attribute-Based Access Control using user/resource/context attributes)
│ └── ACL (Access Control List defining permissions per user or group per resource)
│
└── Federation / SSO (Who vouches for you?)
├── OpenID Connect (OIDC) (identity layer on top of OAuth2 used for login and identity verification)
└── SAML (XML-based enterprise federation protocol for single sign-on across organizations)
-----
====== Password Authentication ======
===== Definition =====
Most traditional authentication mechanism.
User provides:
Username
Password
Server verifies credentials.
-----
===== Workflow =====
User
|
Username + Password
|
V
Server
|
Verify Password Hash
|
Allow / Deny
-----
===== Advantages =====
* Simple
* Universal support
-----
===== Disadvantages =====
* Weak passwords
* Password reuse
* Phishing attacks
* Credential leaks
-----
====== Session Authentication ======
===== Definition =====
Server stores user state.
Client stores only a Session ID.
-----
===== Workflow =====
Step 1:
User Login
Step 2:
Server creates session.
Session ID:
ABC123XYZ
Step 3:
Server stores:
ABC123XYZ
→
{
userId: 1,
role: admin
}
Step 4:
Browser receives cookie.
Set-Cookie:
session_id=ABC123XYZ
-----
===== Request Flow =====
Browser
|
session_id
|
V
Server
|
Session Storage
-----
===== Advantages =====
* Secure
* Easy logout
* Easy revocation
-----
===== Disadvantages =====
* Requires server storage
* Harder to scale
-----
===== Common Use Cases =====
* Laravel websites
* Admin panels
* Internal systems
-----
====== JWT Authentication ======
===== Definition =====
JWT stands for:
JSON Web Token
A JWT is a signed token that carries user identity information.
-----
===== Structure =====
Header.Payload.Signature
Example:
xxxxx.yyyyy.zzzzz
-----
===== Workflow =====
User logs in.
Server creates JWT.
{
"userId": 1,
"role": "admin"
}
Server signs token.
Client stores token.
Client sends:
Authorization:
Bearer eyJhbGc...
Server verifies signature.
-----
===== Architecture =====
Client
|
JWT
|
V
API Server
-----
===== Advantages =====
* Stateless
* API friendly
* Scales well
-----
===== Disadvantages =====
* Harder logout
* Harder token revocation
-----
===== Common Use Cases =====
* REST APIs
* Mobile apps
* SPAs
* Microservices
-----
====== API Key Authentication ======
===== Definition =====
Simple authentication using a secret key.
Example:
X-API-Key: abc123
-----
===== Workflow =====
Client
|
API Key
|
V
Server
|
Validate Key
-----
===== Advantages =====
* Very simple
* Easy integration
-----
===== Disadvantages =====
* Weak permission model
* Difficult rotation
* No user identity
-----
===== Common Use Cases =====
* Internal APIs
* Service integrations
* Automation tools
-----
====== Basic Authentication ======
===== Definition =====
HTTP authentication standard.
Credentials sent every request.
-----
===== Example =====
Authorization:
Basic am9objpwYXNzd29yZA==
Represents:
john:password
-----
===== Advantages =====
* Very simple
-----
===== Disadvantages =====
* Credentials transmitted every request
* Must use HTTPS
-----
===== Common Use Cases =====
* Internal systems
* Legacy applications
-----
====== OAuth2 ======
===== Definition =====
OAuth2 is an authorization framework.
OAuth2 answers:
What resources can this application access?
OAuth2 does NOT define authentication.
-----
===== Example =====
User clicks:
Continue with Google
Google asks:
Allow this app to access your profile?
User approves.
Google issues:
Access Token
Application accesses Google APIs.
-----
===== Components =====
==== Resource Owner ====
Usually:
User
==== Client ====
Application requesting access.
==== Authorization Server ====
Issues tokens.
Examples:
* Google
* Microsoft
* Auth0
* Okta
* Keycloak
==== Resource Server ====
Protected APIs.
-----
===== Tokens =====
==== Access Token ====
Used for API access.
Authorization:
Bearer token
==== Refresh Token ====
Obtains new access tokens.
-----
===== Common Use Cases =====
* Login with Google
* Third-party integrations
* Enterprise APIs
-----
====== OpenID Connect (OIDC) ======
===== Definition =====
OIDC is an authentication layer built on top of OAuth2.
OAuth2 answers:
What can this app access?
OIDC answers:
Who is the user?
-----
===== Workflow =====
User authenticates.
Identity Provider returns:
ID Token
Typically a JWT.
Example:
{
"sub": "123456",
"email": "john@example.com",
"name": "John"
}
-----
===== Common Providers =====
* Google
* Microsoft Entra ID
* Auth0
* Okta
* Keycloak
-----
===== Common Use Cases =====
* Login with Google
* Enterprise SSO
* Modern authentication systems
-----
====== SAML ======
===== Definition =====
SAML stands for:
Security Assertion Markup Language
Enterprise identity federation protocol.
Uses XML.
-----
===== Workflow =====
Employee
|
V
Company Identity Provider
|
V
Application
-----
===== Advantages =====
* Enterprise standard
* Mature ecosystem
-----
===== Disadvantages =====
* XML complexity
* Older technology
-----
===== Common Use Cases =====
* Enterprise SSO
* Government systems
* Legacy corporate environments
-----
====== Single Sign-On (SSO) ======
===== Definition =====
SSO is a capability, not a protocol.
Goal:
Login once.
Access multiple applications.
-----
===== Example =====
Google Login
|
+--> Gmail
+--> Drive
+--> Docs
+--> Calendar
-----
===== Technologies Used =====
* OIDC
* SAML
-----
====== Multi-Factor Authentication (MFA) ======
===== Definition =====
Adds extra authentication factors.
Instead of:
Password
Use:
Password
+
Additional Factor
-----
===== Examples =====
* SMS OTP
* Authenticator App
* Security Key
* Passkey
-----
===== Advantages =====
* Stronger security
* Protects against password theft
-----
====== Passkeys / WebAuthn ======
===== Definition =====
Modern passwordless authentication.
Uses:
Public Key
Private Key
cryptography.
-----
===== Registration =====
Device creates:
Public Key
Private Key
Server stores:
Public Key
Device stores:
Private Key
-----
===== Login =====
Server sends challenge.
Device signs challenge.
Server verifies signature.
-----
===== Advantages =====
* Phishing resistant
* No password leaks
* Better user experience
-----
===== Common Use Cases =====
* Modern authentication systems
* High-security applications
-----
====== Authorization Models ======
===== RBAC =====
Role-Based Access Control.
Permissions based on roles.
Example:
Admin
→ All Permissions
Manager
→ Reports
User
→ Own Data
-----
===== ABAC =====
Attribute-Based Access Control.
Permissions based on attributes.
Example:
Department = Finance
AND
Document Department = Finance
Result:
Allow Access
-----
===== ACL =====
Access Control List.
Permissions attached directly to resources.
Example:
budget.xlsx
John → Read
Alice → Read/Write
Bob → Denied
-----
====== Kerberos ======
===== Definition =====
Enterprise authentication protocol.
Widely used with:
* Active Directory
* Windows Domains
-----
===== Workflow =====
User Login
|
V
Active Directory
|
Ticket
|
V
Applications
-----
===== Common Use Cases =====
* Corporate networks
* Enterprise infrastructure
-----
====== Modern Enterprise Architecture ======
A typical enterprise architecture:
User
|
V
OIDC Login
|
OAuth2
|
JWT
|
API Gateway
|
Microservices
|
RBAC
Where:
OIDC
= Authentication
OAuth2
= Authorization
JWT
= Token Format
RBAC
= Permissions
MFA
= Additional Security
-----
====== Technology Comparison ======
^ Technology ^ Category ^ Purpose ^
| Session | Authentication | Server-side login state |
| JWT | Authentication | Token-based identity |
| API Key | Authentication | Service identification |
| Basic Auth | Authentication | Username/password transport |
| OAuth2 | Authorization | Delegated access |
| OIDC | Authentication | User identity |
| SAML | Authentication/SSO | Enterprise federation |
| MFA | Authentication | Additional verification |
| Passkeys | Authentication | Passwordless login |
| RBAC | Authorization | Role permissions |
| ABAC | Authorization | Attribute permissions |
| ACL | Authorization | Resource permissions |
| Kerberos | Authentication | Enterprise authentication |
-----
====== Quick Memory Guide ======
Session
= Server remembers you
JWT
= You carry your identity
OAuth2
= Permission delegation
OIDC
= User identity
SAML
= Enterprise SSO
MFA
= Extra verification
Passkey
= Passwordless authentication
RBAC
= Role permissions
ABAC
= Attribute permissions
ACL
= Resource permissions