Security & Identity Management

Question 1

What is the difference between Authentication and Authorization?

Answer 1

Authentication:
o Confirms the identity of a user (i.e., “Who are you?”).
o Uses mechanisms like passwords, biometrics, OTPs, and OAuth.
o Example: Entering a username and password to log in.

Authorization:
o Determines what actions or resources a user can access (i.e., “What are you allowed to do?”).
o Implemented via roles, permissions, and access control lists (ACLs).
o Example: An authenticated user may have access to read data but not modify it.

Question 2

What is OAuth2?

Answer 2

OAuth2 (Open Authorization) is an authorization framework that allows third-party applications to access a user’s data without exposing credentials. It is commonly used in API authentication and delegated access scenarios (e.g., logging in with Google or Facebook).

This means it focuses on granting permission to access resources, rather than verifying a user’s identity

delegated Access:

OAuth 2.0 allows users to grant “delegated access” to their resources. For example, you might allow a social media management tool to access your social media account to post updates, without giving that tool your social media password.

Resource Owner: The user who owns the resources.
Client: The third-party application that wants to access the resources.
Authorization Server: The server that issues access tokens.
Resource Server: The server that hosts the protected resources.
Access Token: A credential that represents the authorization granted by the resource owner.

Question 3

What are the key components of OAuth2?

Answer 3

1. Resource Owner: The user who grants access to their resources.
2. Client: The third-party application requesting access.
3. Authorization Server: Issues access tokens after user authentication.
4. Resource Server: The API or system that holds the protected data.
5. Access Token: A credential used to access protected resources on behalf of the user.

Question 4

What are the different OAuth2 grant types?

Answer 4

1. Authorization Code Grant (Most secure, used for web apps)
2. Implicit Grant (Less secure, mainly for front-end applications - deprecated)
3. Client Credentials Grant (Used for machine-to-machine authentication)
4. Password Grant (User credentials are exchanged for an access token - less secure, not recommended)
5. Refresh Token Grant (Allows obtaining new access tokens without re-authentication)

Question 5

How does OAuth2 work?

Answer 5

1. User initiates authentication via a third-party service (Google, Facebook, etc.).
2. Authorization server redirects user to a login page.
3. User grants permission to share their data.
4. Authorization server issues an authorization code.
5. Client exchanges the authorization code for an access token.
6. Client uses the access token to access the resource server (API).

Question 6

: What is the difference between OAuth2 and OpenID Connect (OIDC)?

Answer 6

• OAuth2: Handles authorization (i.e., giving apps access to data).
• OpenID Connect (OIDC): Extends OAuth2 to include authentication (i.e., verifying user identity).

Question 7

What is the difference between OAuth2 and API Keys?

Answer 7

• OAuth2 is a secure, token-based authorization framework that allows granular access control and token expiration.
• API Keys are static credentials that do not expire (unless revoked) and lack fine-grained access control.
• Key Differences:
  Feature OAuth2 API Keys
  Expiration Yes (Access Tokens expire) No (Valid until revoked)
  Scope-based Access Yes (Can specify user roles & permissions) No (Access is all or nothing)
  Security More Secure (Short-lived tokens, refresh mechanisms) Less Secure (Prone to leakage & unauthorized access)
  Best Used For User authentication, delegated authorization Simple service-to-service API access

Question 8

How do you secure OAuth2 tokens?

Answer 8

• Use HTTPS to encrypt communication and prevent token interception.
• Use Refresh Tokens instead of reusing access tokens.
• Set Short Expiry Times for access tokens to minimize risk.
• Implement Scopes & Roles to ensure limited access control.
• Rotate Tokens Periodically to prevent long-term abuse.
• Use JWT Signature Verification to validate token authenticity.

Question 9

How does JWT (JSON Web Token) work in OAuth2?

Answer 9

• JWT is a compact, self-contained token that securely transmits information between parties.
• A JWT consists of three parts:
  1. Header – Contains the signing algorithm (HS256, RS256).
  2. Payload – Contains claims (user details, roles, expiration time).
  3. Signature – Ensures the integrity of the token.
• Example JWT Token:
• eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
• eyJ1c2VySWQiOiAxMjMsICJyb2xlIjogImFkbWluIn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
• Verification Process:
  o The client sends the JWT in the Authorization header (Bearer <token>).
  o The server validates the signature to ensure it was issued by a trusted authority.
  o If valid, the server extracts claims and grants access</token>

Question 10

How does OAuth2 handle token expiration and renewal

Answer 10

• Access tokens are short-lived (e.g., 15-60 minutes) for security.
• Refresh tokens allow obtaining a new access token without re-authentication.
• Renewal Process:
  1. The client sends a request to the authorization server with the refresh token.
  2. The server verifies the refresh token and issues a new access token.
  3. The client uses the new access token for further API requests.

Question 11

What is PKCE (Proof Key for Code Exchange), and why is it important?
Why Do We Use “Bearer” Before the Token in OAuth2?
Why Not Just Send the Token?

Answer 11

• PKCE prevents authorization code interception attacks in OAuth2 by using a dynamically generated code challenge.
• How it works:
  1. The client generates a random string (code verifier).
  2. The client hashes it into a code challenge and sends it to the authorization server.
  3. When exchanging the authorization code, the client must send the original code verifier.
  4. The server validates it before issuing tokens.
• Why it’s important?
  o Prevents man-in-the-middle attacks.
  o Improves security for public clients (SPAs, mobile apps) that cannot store secrets safely.

** Why Do We Use “Bearer” Before the Token in OAuth2?**
o The “Bearer” prefix is used in the Authorization header to indicate that the provided token is a Bearer Token, meaning:
o The token grants access to protected resources without requiring further authentication.
o The server does not need to verify the sender; it only checks the validity of the token.
o The client sends it in the following format:
o makefile
o CopyEdit
o Authorization: Bearer <access_token>
o Why Not Just Send the Token?
o "Bearer" clarifies the type of token being used.
o Some systems support multiple authentication types (e.g., Basic, Digest, Bearer). The prefix helps the server identify the correct authentication schem</access_token>