Ben Langhinrichs

Photograph of Ben Langhinrichs

E-mail address - Ben Langhinrichs







Recent posts

Thu 29 Apr 2021

Archive a Notes DB off-line w/ Field data and active content



Tue 20 Apr 2021

Archive a Notes DB off-line in 4 easy steps



Thu 18 Mar 2021

Preservation of all the tiny details


May, 2021
SMTWTFS
      01
02 03 04 05 06 07 08
09 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31

Search the weblog





























Genii Weblog

Authentication and Authorization with Exciton Boost

Thu 3 Dec 2020, 11:49 AM



by Ben Langhinrichs
 
Inline PNG image
 
Two related topics which come up a lot with customers interested in our Exciton Boost  product are authentication and authorization (aka access). The two terms are often used somewhat interchangeably, but they are quite distinct.
 
Here's an overview of some differences between authentication and authorization. This table is adapted from an excellent discussion of the topic on Auth0's website at Authentication and Authorization.
 
Authentication (Domino and/or IAM service)
Authorization (Domino and Exciton Boost)
Determines whether users are who they claim to be
Determines what users can and cannot access
Uses passwords, security questions, 2FA, etc. to validate the user's credentials
Verifies access using access control lists and other policies and rules
Usually done before authorization, or sometimes after a very thin layer authorization (if nobody has access to a server, there's no need to authenticate before determining that).
Usually done after successful authentication. If anonymous access is allowed, authorization is based on what is considered accessible to anyone, often very limited.
Domino session authentication usually relies on a session token in a cookie while IAM uses an ID token plus secret.
Either a session token is passed via HTTP (as cookie) or info is transmitted through an Access Token.
Domino session authentication uses its own NAB or LDAP or whatever, while IAM is governed by an OpenID Connect (OIDC) protocol. (I think. I am not great with these admin details.)
Authorization relies on Domino security first, via a cascading set of factors such as maximum internet access and ACLs. Access using Exciton adds an additional layer of more finely tuned access based on the Exciton Configuration database.
 
Basically, the first step is to prove who you are to Domino. Then, once Domino is convinced you are you, both Domino and Exciton have to decide whether you have sufficient access (authorization) to do what you want to do. Finally, you do it. (All this sounds complicated, but it happens in a blink of the eye.)
 
Domino's ACL is well known. Exciton's access is defined by a configuration database which defines which databases, forms, and views are accessible, and whether they can be used with the REST API or the RPC API. Specific fields on those forms can be defined as accessible or inaccessible (include or exclude field lists). Thus, while Domino Access Services will let you set almost any fields with almost any form, or no form, Exciton Boost makes sure you are only able to create, read, update, and delete fields and documents that you are supposed to.

Copyright 2020 Genii Software Ltd.

What has been said:

No documents found

Have your say:

Name *:
E-mail:
e-mail addresses will not be displayed on this site
Comment *:


<HTML is not allowed>
Linking: Add links as {{http://xxx|title}}, and they will be activated once approved
Blocked? Unable to post a comment? Please read this for a possible explanation...