There are many options for securing identities in your application. Selecting the right technology for your application will help ensure that your application is secure, while maintaining a great experience for your users. You want to provide secure access to your application without requiring the users to manage extra user accounts and credentials.
Modern Authentication is a method of identity management that offers more secure user authentication and authorization. It has the following characteristics.
- Authentication methods (authentication = how something/somebody logs in to a system)
- Authorization methods (authorization = mechanisms that make sure you do not have full access to something by default)
- Conditional access policies (policies which define the conditions under which certain additional steps have to be taken in order to log into a system)
Users authenticate in two stages:
- The identity provider verifies the identity of users who exist in the directory. Upon successful authentication, tokens are issued that contain information related to successful authentication.
- The user passes those tokens to the application. The application must validate the user’s security tokens to ensure that authentication was successful.
OAuth 2.0 is the industry-standard protocol for authorization. It provides specific authorization flows for web, desktop, and mobile applications. This specification was primarily designed to enable users to authorize an application to access data in another application. With OAuth, you can enable this server-to-server communication. Users can authorize your application to access contact information, without needing to share passwords between applications.
OpenID Connect is an authentication layer that’s built on top of OAuth 2.0. It includes identity verification methods that are missing from OAuth 2.0. OpenID Connect gives you an access token plus an ID token, which you can send to an application to prove your identity.
The ID token is a JSON Web Token (JWT) and contains information about the authenticated user. The identity provider signs the token, so that applications can verify the authentication by using the provider’s public key.
This diagram shows how the client application, the application server, and the identity provider communicate in an OpenID Connect authentication request. The client might be a mobile app or a desktop application. In this case, it’s a web browser. The application server is usually a web server that hosts webpages or a web API. The identity provider in the middle is Azure AD.