Authorization technologies in a nutshell
A few words about basic concepts
This is important to understand because it implies that whatever authorization technology you use you’ll need to use another technology for authentication supplementary to authorization.
Authentication is not part of this blog post. However as a reference for further reading there is e.g. the authentication technology OpenID Connect. OpenID Connect can be used with JWT as well. Refer to e.g. this video course to learn about how to use OpenID Conncet with JWT.
The user/e-mail and password anti-pattern
A little bit of history… do not use user/e-mail + password based authorization! But “(h)ow can I let an app access my data without giving it my password?”. Use e.g. OAuth2 instead.
Json Web Token (JWT)
Watch this approx. 1 min video to get the big picture about JWT.
Watch this approx. 6 1/2 min video to get the big picture about OAuth2.
How to explain authorization to non-IT people
If you have to explain someone how an OAuth2 exchange works use the hotel key analogy:
- The hotel guest (application) requests access to the hotel room (resource) at the hotel reception (authorization server) via their personal ID. The hotel guest get’s the hotel keycard (access token) from the hotel reception.
- Whenever the hotel guest wants to access his room he needs to insert the hotel keycard into the hotel door lock (resource server). The door lock does not care about your name or an password. It justs care about the hotel key card.
Where to go next
To learn more about OAuth2 in the development context head over to the code section of the official website and check out a video course like “The Nuts and Bolts of OAuth 2.0” (covers OpenID Connect and JWT as well) by Aaron Parecki (OAuth Expert) which is heavily involved in OAuth.
To learn more about JWT in the development context head over to the official introduction and check out a video course like “OpenID Connect & JWT: Identity as a Service for your app”.