Intro

Zywave Auth uses OpenId Connect, an extension of OAuth 2.0, to provide authentication and authorization functionality for apps and APIs.

Additional API-driven features such as licenses, permissions, and profiles are available for more granular authorization control.

Authorization

Authorization (AuthZ) is the process of securely granting permission. Zywave utilizes OAuth 2.0 as the primary means of authorization.

OAuth 2.0 is a standard protocol that defines grant types to enable clients to request access to resources from the authorization server on behalf of resource owners.

To break this down, we need to define a few terms:

Authorization Server

A server that issues access tokens to authenticated clients that provide authorization to resources
In SSO scenarios this is often called an Identity Provider (IdP)

Client

An application that requests protected resources on behalf of the resource owner
Clients can be "confidential" if they are capable of maintaining confidentiality of their own credentials, such as server-side applications
Clients are "public" if they cannot maintain confidentiality of their own credentials, such as native applications, browser-based applications, or anything installed or distributed outside of a secured location

Grant type

Defines the flow that will be used
The response for the initial authorization request is a grant which can be exchanged with the authorization server for a token.

Resource

Protected data that can be obtained from the server
Typically available by an API

Resource Owner

A subject that can grant access to a protected resource
Often a User Principal

Putting it all together in easier terms:

OAuth 2.0 is a standard protocol that defines flows to enable apps to request access to APIs from the IdP on behalf of users.

Authentication

Authentication (AuthN) is the process of proving the identity of a subject. Zywave uses OpenId Connect (OIDC) as the primary means of authentication.

OpenId Connect is an identity layer on top of OAuth 2.0 that enables clients to verify the identities of end-users.

I﻿ntro

A﻿uthorization