AuthN, AuthZ and Gluecon

By April 26, 2010Uncategorized

As I’ve mentioned many times in the past, I’m not an engineer. Still, along the way, even the non-engineers like me pick up some tidbits of knowledge. One of the things I learned in my years spent in identity management (“IdM”) is the difference between Authentication (“AuthN”) and Authorization (“AuthZ”). And, as it turns out, that learning is useful.

Take the confusion over OAuth and OpenID. OAuth is “Open Authorization,” while OpenID is an authentication mechanism. While AuthZ and AuthN sometimes feel very similar, they’re actually a pretty different operation.

Authentication is about verifying a person as they login to an application. Authentication can be 1 factor, 2 factor, 9 factor, whatever. It could require DNA if it feels like it. OpenID is about maintaining the “authenticated state” across different sites — what all of us call single sign on (SSO).

Authorization is about granting the ability to access resources or use an application without requiring that the authenticated state be passed across the websites. You LOG IN to twtiter. But you don’t have to log in to a twitter app that wants to gain authorization to your twitter data. You, the authenticated person, *authorize* the application to have access to those resources. The app doesn’t need you to authenticate. And the state of your authentication doesn’t need to persist across the two sites. Hence, the oft-used analogy of the “valet key” being compared to OAuth — it “authorizes” the valet to use certain resources in the car (drive it in a given radius, etc), but it does not “authenticate” the valet to be “logged in” to the car.

As this article points out, OAuth is becoming THE big deal in identity management (in the consumer space). And rightfully so. Authentication is important, but *authorization* can be leveraged. Authorization is built for network effects.

Not that authentication isn’t necessary. It is. It’s just not as sexy.

Fortunately, you can get both sides of the equation at Gluecon, as we’ll be covering OAuth (including the new Web Access Resource Protocol work), and the whole SAML/OpenID complex. If you’re building cloud or web apps, you simply have to understand the implications of all sides of this one. And you can get that at Glue.

We’re 30 days from the conference, so don’t delay — use “twit2” to take 10% off of your registration, and register today.