UNPKG

@fusion.io/authenticate/docs/CONCEPTS_AND_DEFINITIONS.md

Version:

2.53 kBMarkdownView Raw

1@fusion.io/authenticate
2-----------------------
3
4# CONCEPTS AND DEFINITIONS
5
6### tl;dr
7
8 - **Authentication** is about providing an **Identity** for a **Credential**.
9 Not just checking if some one has logged in or not, where:
10
11    - **Credential** is a piece of information that is made/sent from the third party system/user to proof that the Application/System knows who they are.
12    It can be a login form with **id** and **password**, or an **access_token**, ...
13    **Credential** is private and sensitive information. It **MUST** be treated with security awareness.
14    One of the common example is hashing the user's password when store it in database.
15
16    - **Identity** is a piece of information that Application/System can use **by itself** without asking any third party system to distinguish who/which/what is interacting with others.
17    For example: the primary key value of an user table.
18
19    - **Credential** and **Identity** can be made from 2 different Systems/Applications.
20    For example: An user logged in into your website via `Login by Facebook` button,
21    Facebook will provide an `access_token` as a **Credential**.
22    Your website uses that `access_token` and ask to Facebook again to get the Facebook's *user id*. Such *user id* is an **Identity**.
23
24    - **Authentication** is considered as **success** if the **Identity** is provided. Otherwise, it is **failed**.
25
26 - **Authentication** only have meaning in an **Authentication Context**.
27 It is a place that authentication happened for a purpose.
28 It contains **Credential** information.
29 It can transport information back and forth.
30
31 - **Authentication** can be separated into 2 steps:
32
33    1. Reading the **Credential** from **Authentication Context**.
34
35    2. Finding the related **Identity** with such **Credential**.
36
37 - The first step will be coupled with authentication standard (OpenID, OAuth2).
38 It also coupled with transport protocol (HTTP, WebSocket, Console ...),
39 which also mean it depends on the transport framework: **Koa**, **Express** / Http, **Socket.IO** / Websocket, ...
40 It should not couple with the Application/System domain nor the second step.
41 Implementations of the first step can be reuse in a form of libraries or frameworks.
42
43 - The second step will be coupled with the application domain. It should be implemented by the developer.
44
45
46 - **Authentication** is an important part, but **NOT** all of Security problems.
47 A good implementation of **Authentication** does not mean your Application/System is secure

1	`@fusion.io/authenticate`
2	`-----------------------`
3
4	`# CONCEPTS AND DEFINITIONS`
5
6	`### tl;dr`
7
8	`- Authentication is about providing an Identity for a Credential.`
9	`Not just checking if some one has logged in or not, where:`
10
11	`- Credential is a piece of information that is made/sent from the third party system/user to proof that the Application/System knows who they are.`
12	`It can be a login form with id and password, or an access_token, ...`
13	`Credential is private and sensitive information. It MUST be treated with security awareness.`
14	`One of the common example is hashing the user's password when store it in database.`
15
16	`- Identity is a piece of information that Application/System can use by itself without asking any third party system to distinguish who/which/what is interacting with others.`
17	`For example: the primary key value of an user table.`
18
19	`- Credential and Identity can be made from 2 different Systems/Applications.`
20	For example: An user logged in into your website via `Login by Facebook` button,
21	Facebook will provide an `access_token` as a Credential.
22	Your website uses that `access_token` and ask to Facebook again to get the Facebook's user id. Such user id is an Identity.
23
24	`- Authentication is considered as success if the Identity is provided. Otherwise, it is failed.`
25
26	`- Authentication only have meaning in an Authentication Context.`
27	`It is a place that authentication happened for a purpose.`
28	`It contains Credential information.`
29	`It can transport information back and forth.`
30
31	`- Authentication can be separated into 2 steps:`
32
33	`1. Reading the Credential from Authentication Context.`
34
35	`2. Finding the related Identity with such Credential.`
36
37	`- The first step will be coupled with authentication standard (OpenID, OAuth2).`
38	`It also coupled with transport protocol (HTTP, WebSocket, Console ...),`
39	`which also mean it depends on the transport framework: Koa, Express / Http, Socket.IO / Websocket, ...`
40	`It should not couple with the Application/System domain nor the second step.`
41	`Implementations of the first step can be reuse in a form of libraries or frameworks.`
42
43	`- The second step will be coupled with the application domain. It should be implemented by the developer.`
44
45
46	`- Authentication is an important part, but NOT all of Security problems.`
47	`A good implementation of Authentication does not mean your Application/System is secure`