Understanding Digital Identity, Encryption, and OAuth 2.0 vs OIDC | by Prabesh Thapa

Understanding ideas like digital identification, encryption, and authorization protocols is essential in right this moment’s digital panorama. This article goals to make clear these subjects and supply a complete overview.

In the digital world, a digital identification uniquely represents an entity, be it a person, group, or gadget. Just as bodily identification attributes like your title, picture, and private data assist establish you within the bodily world, digital identification consists of distinctive digital attributes equivalent to usernames, e mail addresses, biometric information, and digital certificates.

These digital identifiers are used to ascertain and confirm your identification within the digital realm, permitting you to entry on-line companies, talk securely, and conduct varied actions within the digital world.

This parallel between bodily and digital identification highlights the significance of safe and dependable identification strategies in each domains. This can manifest as usernames, emails, public keys, and even biometric information. These identifiers play a pivotal function in verifying one’s identification within the digital realm.

Encryption

Converts plain textual content into cipher textual content utilizing a mathematical algorithm and an encryption key.
It is a two-way course of.
Unlike hashing, it doesn’t end in a fixed-length output.

Hashing

Converts plain textual content into a set size string of chars referred to as hash.
An excellent hash ought to be a one-way course of, which means as soon as the information is hashed, it can’t be simply reversed to acquire the unique enter.
Used to verify information integrity
Fixed size

Let’s speak about just a few questions:

Is Bcrypt hashing or encrypting?

Answer: Even if the title contains crypt and suggests encryption, it’s hashing.

Is Base64 hashing or encrypting?

Answer: Neither, it’s encoding. It is an encoding method used to characterize binary information in an ASCII string format. It’s generally used for duties like encoding photographs in e mail attachments or embedding binary information in URLs.

Authentication: Verifying if a consumer is who they declare to be

Authorization: Verifying if the consumer has entry to sources the useful resource they wish to entry.

Tokens are pivotal in managing entry and identification within the digital world. They function information representations of a consumer’s identification or present entry to particular sources.

Various tokens exist, together with entry, refresh, session, ID, and CSRF. Each of them is mentioned under:

Access token: The shopper makes use of this token to entry the Resource Server (API). They are supposed to be short-lived. These tokens are normally legitimate for just a few hours or a day. As it has a shorter interval, it can’t be revoked. Instead, we have now to attend for this token to trip.
If you’re utilizing an entry token with a safe API, give the entry token a shorter trip to stick to safety greatest practices. For instance, the trip may be an hour.
OAuth2.0 can be utilized for authorization, permitting you to entry a useful resource equivalent to an API endpoint for CRUD operations.
Refresh token: The shopper makes use of the refresh token to get an entry token. To get a refresh token, functions sometimes require confidential shoppers with authentication. This is far longer-lived: days, months, or years. This may be revoked at any time.
Session token: Token used to take care of stateful interactions between the shopper and server.
ID token: Used strictly for authentication utilizing OIDC.
CSRF token: Used to stop a particular sort of assault the place a consumer is tricked into performing on a unique web site with out their data.

Tokens don’t have to be within the type of JWTs (JSON Web Tokens). While JWTs are a preferred alternative for tokens resulting from their compact measurement, self-contained nature, and ease of use, they don’t seem to be the one possibility.

OAuth 2.0 and OpenID Connect (OIDC) serve distinct capabilities. OAuth 2.0 is primarily an authorization framework, whereas OIDC is geared in the direction of authentication. OIDC operates atop OAuth 2.0, which is constructed on prime of HTTP.

OAuth 2.0 and OpenID Connect (OIDC) are completely different techs constructed for various functions.

OAuth 2.0 is an open-standard authorization framework, not an impartial service. It allows you to grant delegated permissions and permit entry to particular sources equivalent to profile footage, emails, and cellphone numbers. It is learn as “oh-auth,” and it’s not the identical as AuthO, which is learn as “auth-zero.” One is a protocol specification, and the opposite is a product.

OAuth maintains a number of roles that assist facilitate and delegate entry to protected sources.

Resource Owner (RO): An entity that may grant entry to a protected useful resource. The consumer could be a system or an utility. They solely have to personal the information within the useful resource server. For instance, I’m the useful resource proprietor of my Facebook profile.
Client: The utility that desires to entry protected information on behalf of the useful resource proprietor. A cell app that desires to entry a consumer’s images on a cloud storage service. (e.g., net or cell app). This is a bit controversial. From the auth server perspective, any app tries to authenticate its shopper.
Resource Server (RS): The server that hosts the protected useful resource. It verifies the token and offers entry to the useful resource. (e.g., server internet hosting file)
Authorization Server (AS): Server liable for authenticating the useful resource proprietor and acquiring their consent to grant entry to the shopper. Once it is carried out, it points an entry token to the shopper (e.g., GitHub, Facebook, and Linkedin. They all function their very own authorization server)
Authorization grant: Credential representing the useful resource proprietor’s consent to permit the shopper to entry their useful resource. There are various kinds of grant auth codes: implicit, shopper credential, and so on.
Redirect URI: After the proprietor grants permission, the authorization server redirects customers again to the shopper as a particular URL with authorization data. This is usually referred to as callback URL
Access token: Credential that represents that the authorization has been granted. They can’t do every little thing, solely the issues outlined within the scope
Refresh token: Optional. Used to get a brand new entry token in case the earlier one expires
OAuth scopes: It specifies the extent of entry a shopper may be granted. It is maintained and outlined within the authorization server

Simplicity: Version 1.0 was intricate resulting from its reliance on cryptographic signatures for every request.
Support: Initially tailor-made for server-to-server communication, model 1.0 has developed to accommodate a broader spectrum of shoppers, together with cell apps, net apps, and IoT gadgets, due to the introduction of assorted grant varieties.
Native help: Version 1.0 was not optimally suited to native cell functions. Version 2.0 addressed this by introducing PKCE (Proof Key for Code Exchange), enhancing the safety of authorizations.
Token-Based: While model 1.0 relied on signature-based authentication, model 2.0 adopted a bearer token method, streamlining the authentication course of.
Scope: Unlike model 1.0, which lacked a standardized technique for managing permissions and scope, model 2.0 introduces scopes, permitting for extra exact and granular entry management.

OAuth flows or grants, are a mechanism for shoppers to get credentials from authorization server (AS) to entry the useful resource server (RS). OAuth gives varied flows tailor-made for various eventualities, together with Auth code move, Implicit move, Client credential move, Auth code with PKCE, and Resource proprietor password grant move.

Usage: Used by an internet or server-side app that may securely retailer shopper secrets and techniques.

It’s relevant to net or server-side functions with the potential to securely retailer shopper secrets and techniques, particularly when management over each the back and front channels is maintained.