Basic terminologies when dealing with OAuth security in the context of app (web application, api, mobile application, etc).
Authentication
The process of proving you are who you say you are.
Authorization
The act of granting an authenticated party permission to do something. It specifies what data you’re allowed to access and what you can do with that data.
Identity
Refer to users who request access to resources. Users have to proof their identity is who they said they are, usually through authentication process.
Flow (aka. grant type)
Methods through which applications can gain Access Tokens and by which you grant limited access to your resources to another entity without exposing credentials.
Token
A piece of data contain information about users and apps. Common types of tokens:
- Id token
- Access token
- Refresh token
A token used to identify user.
A token used to access some kind of resources, ie: api.
A token used to refresh access token.
Hash
Function that can be used to map data of arbitrary size to fixed-size values. The values returned by a hash function are called hash values, hash codes, digests, or simply hashes.
Encrypt
Convert (information or data) into a cipher or code, especially to prevent unauthorized access. Common methods of encryption:
- Asymmetric
- Symmetric
A form of encryption where keys come in pairs. Public keys which may be disseminated widely, and private keys which are known only to the owner. Public keys are used to encrypt and private keys are used to decrypt.
A form of encryption which only use one key (as opposed to pair of keys in Asymmetric). The key is used to encrypt and decrypt.
Decrypt
Make a coded or unclear message able to be understood.
Public private key
See asymmetric encryption above.
Federation
The linking a users’ electronic identity and attributes, stored across multiple distinct identity management systems.