91 lines
No EOL
6.8 KiB
Text
Executable file
91 lines
No EOL
6.8 KiB
Text
Executable file
|
|
=== Core Concepts and Terms
|
|
|
|
There are some key concepts and terms you should be aware of before attempting to use {{book.project.name}} to secure your web applications
|
|
and REST services.
|
|
|
|
users::
|
|
Users are entities that are able to log into your system. They can have attributes associated with themselves like email,
|
|
username, address, phone number, and birth day. They can be assigned group membership and have specific roles assigned to them.
|
|
authentication::
|
|
The process of identifying and validating a user.
|
|
authorization::
|
|
The process of granting access to a user.
|
|
credentials::
|
|
Credentials are pieces of data that {{book.project.name}} uses to verify the identity of a user. Some examples are passwords,
|
|
one-time-passwords, digital certificates, or even fingerprints.
|
|
roles::
|
|
Roles identify a type or category of user. `Admin`, `user`, `manager`, and `employee` are all typical roles that may exist
|
|
in an organization. Applications often assign access and permissions to specific roles rather than individual users as dealing
|
|
with users can be too fine grained and hard to manage
|
|
user role mapping::
|
|
A user role mapping defines a mapping between a role and a user. A user can be associated with zero or more roles. This
|
|
role mapping information can be encapsulated into tokens and assertions so that applications can decide access permissions on
|
|
various resources they manage
|
|
composite roles::
|
|
A composite role is a role that can be associated with other roles. For example a `superuser` composite role could be associated with the
|
|
`sales-admin` and `order-entry-admin` roles. If a user is mapped to the `superuser` role they also inherit the `sales-admin` and `order-entry-admin` roles.
|
|
groups::
|
|
Groups manage groups of users. Attributes can be defined for a group. You can map roles to a group as well. Users that become members of a group
|
|
inherit the attributes and role mappings that group defines.
|
|
realms::
|
|
A realm manages a set of users, credentials, roles, and groups. A user belongs to and logs into a realm. Realms are isolated from one another
|
|
and can only manage and authenticate the users that they control.
|
|
clients::
|
|
Clients are entities that can request {{book.project.name}} to authenticate a user. Most often, clients are applications and services that
|
|
want to use {{book.project.name}} to secure themselves and provide a single sign-on solution. Clients can also be entities that just want to request
|
|
identity information or an access token so that they can securely invoke other services on the network that are secured by {{book.project.name}}
|
|
client adapters::
|
|
Client adapters are plugins that you install into your application environment to be able to communicate and be secured by {{book.project.name}}. {{book.project.name}}
|
|
has a number of adapters for different platforms that you can download. There are also third-party adapters you can get for environments that we don't cover.
|
|
consent::
|
|
Consent is when you as an admin want a user to give permission to a client before that client can participate in the authentication process.
|
|
After a user provides their credentials, {{book.project.name}} will pop up a screen identifying the client requesting a login and what identity
|
|
information is requested of the user. User can decide whether or not to grant the request.
|
|
client templates::
|
|
When a client is registered you need to enter configuration information about that client. It is often useful to store a template
|
|
of this to make create new clients easier. {{book.project.name}} provides the concept of a client template for this.
|
|
client role::
|
|
Clients can define roles that are specific to them. This is basically a role namespace dedicated to the client.
|
|
identity token::
|
|
A token that provides identity information about the user. Part of the OpenID Connect specification.
|
|
access token::
|
|
A token that can be provided as part of an HTTP request that grants access to the service being invoked on. This is part of
|
|
the OpenID Connect and OAuth 2.0 specification.
|
|
assertion::
|
|
Information about a user. This usually pertains to an XML blob that is included in a SAML authentication response that
|
|
provided identity metadata about an authenticated user.
|
|
service account::
|
|
Each client has a built in service account which allows it to obtain an access token.
|
|
direct grant::
|
|
A way for a client to obtain an access token on behalf of a user via a REST invocation.
|
|
protocol mappers::
|
|
For each client you can tailor what claims and assertions are stored in the OIDC token or SAML assertion. You do this per client by creating and configuring
|
|
protocol mappers.
|
|
session::
|
|
When a user logs in, a session is created to manage the login session. A session contains information like when the user logged in and what
|
|
applications have participated within single-sign on during that session. Both admins and users can view session information.
|
|
user federation provider::
|
|
{{book.project.name}} can store and manage users. Often, companies already have LDAP or Active Directory services that store user and credential
|
|
information. You can point {{book.project.name}} to validate credentials from those external stores and pull in identity information.
|
|
identity provider::
|
|
An identity provider (IDP) is a service that can authenticate a user. {{book.project.name}} is an IDP.
|
|
identity provider federation::
|
|
{{book.project.name}} can be configured to delegate authentication to one or more IDPs. Social login via
|
|
Facebook or Google+ is an example of identity provider federation. You can also hook {{book.project.name}} to delegate
|
|
authentication to any other Open ID Connect or SAML 2.0 IDP.
|
|
identity provider mappers::
|
|
When doing IDP federation you can map incoming tokens and assertions to user and session attributes. This helps you propagate identity information from the external IDP
|
|
to your client requesting authentication.
|
|
required actions::
|
|
Required actions are actions a user must perform during the authentication process. A user will not be able to complete the authentication process until these actions
|
|
are complete. For example, an admin may schedule users to reset their passwords every month. An `update password` required action would be set for all these
|
|
users.
|
|
authentication flows::
|
|
Authentication flows are work flows a user must perform when interacting with certain aspects of the system. A login flow can define
|
|
what credential types are required. A registration flow defines what profile information a user must enter and whether something like reCAPTCHA
|
|
must be used to filter out bots. Credential reset flow defines what actions a user must do before they can reset their password.
|
|
events::
|
|
Events are audit streams that admins can view and hook into.
|
|
themes::
|
|
Every screen provided by {{book.project.name}} is backed by a theme. Themes define HTML templates and stylesheets which you can override as needed. |