The security space can be a strange and confusing place for newcomers. In this series of posts, we aim to shed light on the security lingo you may encounter when reading the latest security specifications and scanning your favorite Duende documentation. By the end of this post, you’ll have added one more security phrase to your growing lexicon of security jargon with which to impress your fellow security professionals.
Today’s security lingo is Auth, so let’s discuss what the word stands for and where you can see and hear it used.
What is Auth?
For the uninitiated, Auth might sound like an alien species from a distant planet, coming to our pale blue dot of a planet to share the universe’s most profound secrets. And for seasoned developers, reading the question “What is auth?” might elicit a knee-jerk reaction of “I know what Auth is! Why is this guy explaining it to me?!”
But stick with me, and let’s probe one of life’s most interesting questions.
Auth is an often-used but ambiguous term used by developers to describe standard security practices you might find in a solution. However, the term 'Auth' is imprecise, as it can refer to two aspects of security within a current context: Authentication and Authorization.
Software developers may use “Auth” as shorthand, but do they mean Authentication, authorization, or a combination of both? Even experienced developers can be seen making this mistake. Let’s break down the distinction between the two terms, starting with Authentication.
Authentication, also known as AuthN, is the process of verifying a user's or system's identity. In software development, this typically involves confirming that a user is who they claim to be, often through credentials such as usernames and passwords, or other methods like multi-factor authentication. It's the first step in granting access to resources.
Authorization, also referred to as AuthZ, is the process of determining what actions an authenticated user or system is permitted to perform. After identity verification (authentication), authorization grants or denies access to specific resources or functionalities based on predefined rules or roles. It defines the level of access an entity has within a system.
In terms of OAuth 2.0, the security protocol that Duende IdentityServer helps developers implement, the “Auth” stands for Authorization. OAuth 2.0 is a protocol explicitly designed for client authorization (think apps). In contrast, the later protocol of OpenID Connect, which builds on OAuth 2.0, focuses on combining both authorization and authentication for users (think humans).
While it's possible to pick up which “auth” developers are referring to from context clues, it’s always best to communicate clearly which you mean, whether it’s authentication or authorization. So next time you’re staring at the stars, wondering if there’s intelligent life out there in the universe, you’ll know that if they ever reach out to you, you’ll have no problems explaining the phrase “Auth”.
We hope you found this post enlightening. If there’s other security lingo you’re unsure about, please let us know in the comments, and we’ll be happy to explain. And while you’re here, please take a moment to explore our range of security products and join the discussions in our community.