Home
Guides
Start typing to search…

API Authentication & Authorisation

Here's a short explainer on authentication and authorisation, incorporating OIDC, JWT, and mTLS:

Authentication vs. Authorisation

Authentication

Verifies who you are. It's the process of confirming a user's identity. Think of it like showing your ID to get into a building.

Authorisation

Authorisation determines what you can do. After your identity is confirmed, this process decides which resources or actions you are permitted to access. This process is similar to a security guard checking your badge level to determine which floors you're allowed on.

Key Technologies

OpenID Connect (OIDC)

An identity layer built on top of the OAuth 2.0 protocol. OIDC handles authentication by allowing clients to verify the identity of the end-user based on the authentication performed by an authorisation server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner. It issues an ID Token (a JWT) to confirm the user's identity.

JSON Web Tokens (JWT)

A compact, URL-safe means of representing claims to be transferred between two parties. JWTs can be used for both authentication and authorisation.

  • Authentication: An ID Token (a type of JWT issued by OIDC) confirms the user's identity.
  • Authorisation: An Access Token (often a JWT) contains claims about the user's permissions and scopes, allowing the resource server to determine what actions the user is authorised to perform.

Mutual Transport Layer Security (mTLS)

Provides two-way authentication between a client and a server. Unlike standard TLS, where only the server authenticates itself to the client, mTLS requires both the client and server to present and verify cryptographic certificates. This ensures that both parties are trusted, adding an extra layer of security, especially in microservices architectures where service-to-service authentication is critical. While primarily for authentication, the establishment of a trusted connection via mTLS can implicitly support authorisation decisions by ensuring only trusted entities can even attempt to access resources.

Updated about 2 months ago