1 | @fusion.io/authenticate
|
2 | -----------------------
|
3 |
|
4 | # CONCEPTS AND DEFINITIONS
|
5 |
|
6 | ### tl;dr
|
7 |
|
8 | - **Authentication** is about providing an **Identity** for a **Credential**.
|
9 | Not just checking if some one has logged in or not, where:
|
10 |
|
11 | - **Credential** is a piece of information that is made/sent from the third party system/user to proof that the Application/System knows who they are.
|
12 | It can be a login form with **id** and **password**, or an **access_token**, ...
|
13 | **Credential** is private and sensitive information. It **MUST** be treated with security awareness.
|
14 | One of the common example is hashing the user's password when store it in database.
|
15 |
|
16 | - **Identity** is a piece of information that Application/System can use **by itself** without asking any third party system to distinguish who/which/what is interacting with others.
|
17 | For example: the primary key value of an user table.
|
18 |
|
19 | - **Credential** and **Identity** can be made from 2 different Systems/Applications.
|
20 | For example: An user logged in into your website via `Login by Facebook` button,
|
21 | Facebook will provide an `access_token` as a **Credential**.
|
22 | Your website uses that `access_token` and ask to Facebook again to get the Facebook's *user id*. Such *user id* is an **Identity**.
|
23 |
|
24 | - **Authentication** is considered as **success** if the **Identity** is provided. Otherwise, it is **failed**.
|
25 |
|
26 | - **Authentication** only have meaning in an **Authentication Context**.
|
27 | It is a place that authentication happened for a purpose.
|
28 | It contains **Credential** information.
|
29 | It can transport information back and forth.
|
30 |
|
31 | - **Authentication** can be separated into 2 steps:
|
32 |
|
33 | 1. Reading the **Credential** from **Authentication Context**.
|
34 |
|
35 | 2. Finding the related **Identity** with such **Credential**.
|
36 |
|
37 | - The first step will be coupled with authentication standard (OpenID, OAuth2).
|
38 | It also coupled with transport protocol (HTTP, WebSocket, Console ...),
|
39 | which also mean it depends on the transport framework: **Koa**, **Express** / Http, **Socket.IO** / Websocket, ...
|
40 | It should not couple with the Application/System domain nor the second step.
|
41 | Implementations of the first step can be reuse in a form of libraries or frameworks.
|
42 |
|
43 | - The second step will be coupled with the application domain. It should be implemented by the developer.
|
44 |
|
45 |
|
46 | - **Authentication** is an important part, but **NOT** all of Security problems.
|
47 | A good implementation of **Authentication** does not mean your Application/System is secure
|