Appendix A: Glossary
The following is a list of terms and their definitions as they are used in this book.
Access Token – In the context of OAuth 2 and OIDC, a security token used by an application to access protected resources such as an API.
Account – A construct within a software application or service that usually contains or is associated with identity information and optionally privileges and which is used to access features within the application or service.
Application – A software application that issues requests to a server.
Application Programming Interface (API) – A software service interface that allows a client program to request resources or actions from the software service.
Authorization Code – In the context of OAuth 2 and OIDC, an intermediary, opaque code returned to an application and which represents the application’s authorization by the user to call an API on the user’s behalf. It is used to obtain security token(s).
Authorization Server – A service which implements the OAuth 2 protocol and enables resource owners (users) to authorize applications to access content they own at resource servers and which issues security tokens enabling the authorized access.
B2B (Business to Business) – A business model where services are targeted to businesses that use the services in some way to deliver a service to their customers.
B2C (Business to Consumer) – A business model where services are targeted to consumers who typically act on their own behalf.
B2E (Business to Employee) – A business model where services are targeted to businesses where the users are the employees of the businesses and act on their employer’s behalf.
Back-Channel – Communication sent directly from one component, typically a back-end server, to another back-end server, as opposed to being sent via HTTP redirects, with a user’s browser as an enabling intermediary. Compare to front-channel.
Browser-Based Application – See the definition for single-page application.
Client – In the context of OAuth 2 and OIDC, an application that requests access to protected resources on behalf of the owner of those resources.
Confidential Client – In the context of OAuth 2 and OIDC, an application that runs on a protected server which enables it to securely store confidential secrets with which to authenticate itself to the authorization server.
Directory Server – A repository for storing, managing, and organizing information about resources. Directory server products have often been optimized for storing information that is frequently read but infrequently modified and used to store information about entities such as users, access control privileges, application configurations, and network printers. Information in directory services has been used for authentication and authorization of users.
End User or User – A human subject using applications or services and who is authenticated and authorized when accessing protected resources.
Front-Channel – Communication sent via HTTP redirects, with a user’s browser as an enabling intermediary, instead of directly from one back-end server to another back-end server. Compare to back-channel.
HS256 – Hash-based message authentication code (HMAC) using SHA256 hash function. A symmetric cryptographic algorithm that can be used for creating and validating a digital signature. It is one option for signing a JSON Web Token, but requires both the issuer and validator of the token to know the same secret.
Identifier – A single identifying attribute that points to a unique individual user or entity, within a particular context.
Identity – A set of attributes, including one or more identifiers, associated with a specific user or entity, in a particular context.
Identity Proofing – The process of vetting a user’s identity and profile information.
Identity Provider (IdP) – (1) A general term for an entity providing an identity service designed to authenticate users and provide assertions about an authenticated user and the authentication event. (2) In the context of the SAML 2 cross-domain single sign-on profile specification, a server which issues SAML 2 assertions about an authenticated subject and authentication event.
Identity Repository – A collection of users stored in a computer storage system, such as a database or directory service.
ID Token – In the context of OIDC, a token used to convey claims about an authentication event and an authenticated entity to a relying party (application).
Internet of Things (IoT) Device – A network-attached device that has an IP address and is capable of transferring information over a network without human interaction. Usually refers to dedicated-purpose devices such as sensors or smart appliances as opposed to general computing devices such as computer servers.
Least Privilege – A security principle of granting the minimum privilege level required for a task or operating at the lowest possible privilege level for a task.
Mobile Application – An application that executes on a mobile device as a native application.
Multitenant Application – An application deployment shared by multiple independent customers whose data is segmented into their own area of the application’s data storage. The separation between different customers’ data is enforced by the application and its storage, rather than the network.
Native Application – An application installed and run natively on a computing device.
OpenID Provider – In the context of OIDC, an OAuth 2 authorization server that authenticates a user and returns claims about the user and authentication event to a relying party (application) in accordance with the OIDC specification. Applications can delegate user authentication to an OpenID Provider.
Public Client – In the context of OAuth 2 and OIDC, an application that executes primarily on the user’s client device or in the client browser and cannot securely store secrets with which to authenticate itself to an authorization server.
Refresh Token – In the context of OAuth 2 and OIDC, a token that can be used by an application to request a new access token when a prior access token has expired or become invalid. With OIDC, a refresh request can optionally return an ID Token as well.
Relying Party – An entity that delegates authentication to an Identity Provider or OpenID Provider or delegates authorization to an authorization server and, in either case, relies on the results, usually in the form of security tokens. With OAuth 2, an API is a relying party, and with OIDC and SAML 2, an application is a relying party.
Resource Owner – In the context of OAuth 2, a user that authorizes access to protected resources hosted at a resource server.
Resource Server – In the context of OAuth 2 and OIDC, an entity that contains protected resources.
RS256 – RSA Signature with SHA256 hash algorithm. An asymmetric cryptographic algorithm that can be used for creating and validating a digital signature. It is one option for signing a JSON Web Token and, unlike HS256, does not require that the issuer and validator of the token know the same secret.
Security Domain – A security domain is a logical construct that defines the boundaries of one entity’s control or ownership.
Service Provider – (1) A general term for an entity providing a service, such as an application, to a user. (2) In the context of the SAML 2 cross-domain single sign-on profile specification, a client entity which requests SAML 2 assertions about an authenticated subject and authentication event.
Single-Page Application (SPA) – An application with logic that executes primarily in a browser, by dynamically altering the displayed web page, rather than making requests to a server to render new pages to respond to user actions. A SPA is assumed to be a public client, as defined by OAuth 2.
Tracking Prevention – A set of features implemented by browsers to limit the ability of third parties to track users’ activity across different websites.
User – See the definition for the end user.
User Consent – In the context of provisioning an account for a user, the process through which an end user is asked to provide their consent for the collection and processing of their personal data. In the context of OAuth 2, the process through which a user provides their consent to authorize an application to access protected resources on their behalf.
Web Application or Traditional Web Application – An application with logic that executes primarily from a protected server, by rendering new pages from the server to respond to user actions. Traditional web applications are assumed to meet the definition of a confidential client, as defined by OAuth 2.