Authentication is an important part of any application. Authentication has been implemented in different ways over the years and has evolved drastically to overcome security flaws and to stand strong against extreme cyber attacks.

Let’s discuss how authentication has been implemented over the years in organizations.

1.Homegrown

Homegrown is pretty straightforward.

User enters credentials on the client application.
Client application validates with the server through the APIs.
Based on the server response, the client application authorizes the user.

Flaws in this implementation include the user directly passing credentials to the client application through APIs, with the client only validating through APIs. This is a major security flaw because attackers can easily steal information from the APIs.

2.LDAP

LDAP(Lightweight Direct Acess Protocol) it is one of the portocol used to communicate with the client’s databse securly.

User went on client’s application and enter the credentials.
Client sends user’s information to Identity Provider.
Identity Provider validates user’s information with the database.
Identity Provider passes the validation information to the client.
Based on that client authorizes the user.

Flaws in this implementation are,

User is providing information to the client directly which is not secure practice.
Identity Provider and the Authentication Database has to be locate in the same datacenter.
It works only for the on-permises. It doesn’t work for the cloud environment.
for authorizing any services it doesn’t have proper implementation.

3.SAML

SAML(Secure Assertion Markup Language) it uses XML , seecret keys to pass the information between the client(Service Provider) and Identity Provider. It is more secure than compare to the prrevious architectures. User won’t pass the credentials directly to the client here. Communication between the providers and database happens more securlly.

User went on to client’s application.
Client redirects to Idenity Provider application
User provides credentials to identity provider.
Idenity provider validates the infromation with the Database.
Identity Provider passes the validated informatio to the client.
User will be validated based on that information.

Flaws in this implemenation are,

Thier are no major secuirty flaws in this architecture in the implemenation of the authentication. But, when it comes to authorization, thier is no proper secure implmentation. Client Application again has to follow regular procedure to authorize the user for providing the requested services. It is not protecting the rest API’s within the enterprise application. SAML is not securing rest API’s within the servers, so it is not ideal solution for the microserive arcitecture applications.

4.OAuth 2.0

Open Authorization, it is way of implementing secure authorization technique.

Ex: Google SignOn

OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP Service(Google), either on behalf of a resource owner(User) by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the thrid-party application(Client Application) to obtain access on its own behalf.

0Auth 2.0 Roles:

Resource Owner : The User, User Agent
Resource Server: REST API which protects resource
Client: Application that needs access
Authorization Server: Authorizes the client, Gives out access tokens, OAuth Endpoints

Procedure to implement OAuth for any application,

Client has to register in Authorization Server to identify the client with client name, client secret key.
Client has to send http post request along with the relevant information client secret key to auth server to get the access token.
Client can access resources with that access token.

There is more to discuss on OAuth2.0. I will post separate blog that.

I appreciate you reading till the end! Let me know your thoughts or if there's anything I should add. Cheers! 🎉

The Evolution of Authentication Architectures