Web API: authorization or/and authentication
Question
I created asp.net web api project. I need to add authorization or/and authentication. I've read a lot about OAuth, SAML, JWT, HMAC etc. and everytime I see author emphasizes that OAuth is not authentication and you need to differ authN from authZ. I'm a bit confusing because I don't understand:
- when I need to use authentication (SSO, login/password) and when authorization(OAuth, tokens) for API?
- are HMAC, JWT for authorization or for authentication? because they are signed and I can add userid to this token use like user identifier
- what are real differences between authN workflow and authZ workflow?
1 answers
solution1
1 ACCPTED 2015-10-14 10:30:35
OAuth can be also used to authenticate users using a resource owner grant (ie a client gets an access token providing an user+password credential).
The resulting access token is what you should call authorization , since it will contain info like claims describing permissions, permission masks or roles (it depends on what authorization scheme you implement in your solution).
A JWT (JSON Web Token) is just a JSON representation of both access token and any other associated info. JWT is the content of some authentication result which can be used to be authorized against some resources. Since the JWT contains an access token , if you're using basic authorization, you'll add an Authorization header to your requests: Authorization: Bearer [your access token] .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.