Guides
/
Authentication & SSO
In this article

Authentication glossary

A glossary of terms and definitions for all things related to authentication.

Authentication

Authentication is the process of confirming the identity of a user, device, or system. This is typically done by verifying something the user knows (like a password), something they have (like a smartphone or security token), or something they are (like a fingerprint or facial recognition). It's the first step in securing access to digital systems.

Authorization

Authorization occurs after authentication and determines what actions or resources a user can access within a system. It relies on roles, permissions, or access policies to grant or deny specific privileges. While authentication answers "who are you?", authorization answers "what are you allowed to do?"

Multi-Factor Authentication (MFA)

MFA is a security method that requires two or more distinct forms of verification before granting access. It typically combines something the user knows (password), something the user has (a mobile device or token), or something the user is (biometric data). MFA greatly improves security by reducing the risk of unauthorized access.

Single Sign-On (SSO)

Single Sign-On allows users to authenticate once and gain access to multiple applications without needing to log in again for each one. This streamlines the user experience and reduces password fatigue. SSO is commonly used in enterprise environments to manage multiple systems with a single identity.

Two-Factor Authentication (2FA)

Two-Factor Authentication is a type of multi-factor authentication that requires exactly two forms of verification. Typically, this involves something you know (a password) and something you have (a phone for a code or an authentication app). 2FA adds an extra layer of security to prevent unauthorized access.

Biometric Authentication

Biometric authentication uses unique physical traits, such as fingerprints, facial recognition, or iris scans, to verify a user's identity. These traits are difficult to replicate, making biometrics a strong form of security. It's commonly used in mobile devices and high-security environments for convenience and reliability.

OAuth

OAuth is an open authorization framework that allows a third-party service to access resources without sharing user credentials. It enables users to grant limited access to their data on one platform to another, securely. OAuth is widely used in applications where services need to interact on behalf of users, such as social media logins or API access.

Token

A token is a piece of data used to authenticate a user or device, often generated after the user logs in. Tokens are used to maintain authentication sessions without requiring re-entry of credentials. They can be access tokens (short-lived) or refresh tokens (used to obtain new access tokens) in systems like OAuth.

Session

A session is the period during which a user interacts with a system after successfully authenticating. During this time, the system keeps track of the user's identity and permissions, typically through cookies or tokens, to avoid requiring authentication for every action. Sessions can be timed out or terminated to enhance security.

Identity Provider (IdP)

An Identity Provider is a service that authenticates users and provides identity information to other systems. It acts as a centralized authority for managing user credentials and access across different applications. Examples include Google, Facebook, or corporate systems that handle SSO and federated identity management.

Service Provider (SP)

A Service Provider is a system or application that relies on an Identity Provider (IdP) to authenticate users. The SP grants access to its services based on the identity information provided by the IdP. For example, a website or an application that uses SSO or federated authentication might act as an SP.

SAML (Security Assertion Markup Language)

SAML is an open standard used for exchanging authentication and authorization data between an Identity Provider and a Service Provider. It allows single sign-on (SSO) by sending a security assertion (claim) to verify the user's identity. SAML is widely used in enterprise environments to integrate different systems securely.

Passwordless authentication

Passwordless authentication eliminates the need for traditional passwords, relying instead on methods like biometrics, one-time passcodes (OTPs), or hardware tokens. This method improves security by reducing the risk of password theft or misuse and provides a smoother user experience.

Federated Identity Management (FIM)

Federated Identity Management allows multiple organizations to share identity information, enabling users to access resources across different domains using a single set of credentials. It is commonly used for SSO, where the identity provider and service provider are part of different systems but trust each other.

One-Time Password (OTP)

An OTP is a temporary, single-use code that is generated for a user to authenticate a specific transaction or login attempt. OTPs are often delivered via SMS, email, or an authentication app, and they provide an additional layer of security for processes like 2FA or MFA.

Identity Federation

Identity Federation allows users to use their identity credentials across different organizations or services. It enables seamless authentication between systems without requiring users to create separate accounts for each service, often achieved through standards like SAML or OAuth.

Identity Delegation

Identity delegation allows a user to grant another system or service permission to act on their behalf for authentication and authorization purposes. This is commonly used in OAuth and OpenID Connect, where a user delegates their authentication to an Identity Provider (IdP), and the system receives tokens to access resources without sharing user credentials directly. It simplifies access control in scenarios where one system needs to interact with multiple services on behalf of a user.

OpenID Connect

OpenID Connect is an authentication layer built on top of OAuth 2.0 that enables Single Sign-On (SSO) and identity verification. It allows users to authenticate with an Identity Provider (IdP) and obtain identity information through a standardized protocol, using an ID token. OIDC simplifies authentication processes across different platforms and is widely used for integrating third-party login systems, like Google or Facebook login.

JSON Web Token (JWT)

JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. JWTs are commonly used for authentication in OAuth 2.0 and OpenID Connect, where the token contains claims (such as user ID, roles, and permissions) that are cryptographically signed to ensure their integrity. JWTs can be used as access tokens or identity tokens in distributed systems.

Access Token

An access token is a short-lived token issued by an Identity Provider after successful authentication, which grants the user access to a specific resource or service. It is typically used in OAuth 2.0 and OpenID Connect to authenticate API calls or access user data. Access tokens are typically passed in HTTP headers and have a limited lifespan for security reasons.

Refresh token

A refresh token is a long-lived token used to obtain a new access token when the current one expires. It allows users to maintain their authenticated session without needing to log in again. Refresh tokens are usually stored securely and used to issue new access tokens without requiring user interaction, ensuring a seamless experience.

ID token

An ID token is a security token that is issued by an Identity Provider (IdP) as part of the OpenID Connect (OIDC) authentication process. It contains identity information about the authenticated user, such as their name, email, and a unique identifier (e.g., user ID). The ID token is typically a JSON Web Token (JWT) and is used to verify the user's identity and provide authentication data to the application that requested it. Unlike access tokens, which are used to access protected resources, ID tokens focus specifically on conveying information about the user’s identity.

Claims

Claims are pieces of information about an entity (typically the user) that are embedded within a security token, such as a JSON Web Token (JWT). Claims can include details like the user's name, email address, roles, and other attributes, or custom data related to the authentication process. Claims are used by service providers to make authorization decisions. In the context of OAuth or OpenID Connect, claims provide essential identity information and can be trusted as long as the token is properly signed.

Scopes

Scopes define the specific permissions or access levels requested by a client application during an OAuth or OpenID Connect authentication flow. When a user authorizes an application, they grant the application certain scopes that determine which resources the application can access on their behalf (e.g., access to profile data, email, or calendar). Scopes help ensure that the application only receives the minimum necessary permissions, following the principle of least privilege.

Further Reading:

The developer’s guide to SSO

What is SAML and how does it work?

The developer's guide to user management

What is OpenID Connect (OIDC)?

The complete guide to OAuth 2.0

We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles
About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.