Authentication and Authorization with Exciton Boost
Thu 3 Dec 2020, 11:49 AMTweet
by Ben Langhinrichs
Two related topics which come up a lot with customers interested in our Exciton Boost product are authentication and authorization (aka access). The two terms are often used somewhat interchangeably, but they are quite distinct.
Here's an overview of some differences between authentication and authorization. This table is adapted from an excellent discussion of the topic on Auth0's website at Authentication and Authorization.
Authentication (Domino and/or IAM service)
Authorization (Domino and Exciton Boost)
Determines whether users are who they claim to be
Determines what users can and cannot access
Uses passwords, security questions, 2FA, etc. to validate the user's credentials
Verifies access using access control lists and other policies and rules
Usually done before authorization, or sometimes after a very thin layer authorization (if nobody has access to a server, there's no need to authenticate before determining that).
Usually done after successful authentication. If anonymous access is allowed, authorization is based on what is considered accessible to anyone, often very limited.
Domino session authentication usually relies on a session token in a cookie while IAM uses an ID token plus secret.
Either a session token is passed via HTTP (as cookie) or info is transmitted through an Access Token.
Domino session authentication uses its own NAB or LDAP or whatever, while IAM is governed by an OpenID Connect (OIDC) protocol. (I think. I am not great with these admin details.)
Authorization relies on Domino security first, via a cascading set of factors such as maximum internet access and ACLs. Access using Exciton adds an additional layer of more finely tuned access based on the Exciton Configuration database.
Basically, the first step is to prove who you are to Domino. Then, once Domino is convinced you are you, both Domino and Exciton have to decide whether you have sufficient access (authorization) to do what you want to do. Finally, you do it. (All this sounds complicated, but it happens in a blink of the eye.)
Domino's ACL is well known. Exciton's access is defined by a configuration database which defines which databases, forms, and views are accessible, and whether they can be used with the REST API or the RPC API. Specific fields on those forms can be defined as accessible or inaccessible (include or exclude field lists). Thus, while Domino Access Services will let you set almost any fields with almost any form, or no form, Exciton Boost makes sure you are only able to create, read, update, and delete fields and documents that you are supposed to.
Copyright © 2020 Genii Software Ltd.
What has been said: