Introduction to Authentication

Introduction to authentication

Authentication is the process of verifying the identity of a user: is someone or something who or what they claim to be?

Types of authentication

There are two types of authentication:

User Authentication - This is the process of verifying the identity of the end-user of your application. The Thinkwise Platform supports several methods of user authentication. You can select one in the menu Authorization > Users > tab Form > group Authentication:
- Local authentication - RDBMS (the database environment does the authentication), Kerberos, Windows
- IAM - IAM does the authentication. Users are only registered in IAM and not in the database. The password is securely stored in the IAM database.
- External (also known as Single Sign-On) - the entire authentication process is outsourced to an external identity server through OpenID Connect.
Delegated Access - This is the process of authenticating third party applications to allow them access to your application. The Thinkific Platform supports several methods of delegated access:
- Client applications - Machine-to-machine access or on behalf of an end user.
- Personal Access Tokens (PATs) - Users can give third parties access to your application on their behalf.

Which authentication method should you use?

When you are setting up authentication for your application, you need to consider the following:

Do you want to authenticate a person or an external party?
- To authenticate a person, use User Authentication.
- To authenticate an external party, use Delegated Access.
To authenticate a person, decide whether to use:
- Local authentication (RDBMS, Kerberos, Windows)
- IAM
- External authentication (Single Sign-On with OpenID Connect). See OpenID Connect.
To authenticate an external party, is that between applications or on behalf of an end user?
- Between applications, use client applications with the grant type Client Credentials. See Client applications.
- If the end user is not allowed to set up the connection to another application, use client applications with the Authorization Code variant. See Client applications.
- If the end user is allowed to set up the connection to another application, use Personal Access Tokens (PATs). See Personal Access Tokens.

Or, visually (click to enlarge):

Authentication flow diagram

Select an authentication type for a user

main administrator user administrator

To select an authentication type for a user in IAM:

menu Authorization > Users > tab Form > group Authentication

Select a user.
Select the authentication type and fill in the required fields.
- For all login and password settings for a user, see Login and password
- For IAM, also execute the task Update password to set or update the password. See also The same email address for two users.
- For Windows, further configuration is required. See Windows authentication.
- For RDBMS, also create an initial password. See Initial password.
- To specify a different authentication type for an application database, set the extended property Authentication for the application in IAM. See Extended properties.

For more information about the configuration and use of external authentication and delegated access, see:

The same email address for two users

note

Always try to prevent using the same email address for two user accounts.

If you selected IAM as the authentication type for a user, an email address can be used as a user ID. However, if that email address is also used as an email address for another user account, the user ID will be preferred over the email address.

Example:

user ID	name	email address
`dough@gmail.com`	John Dough	`jdough@mycompany.org`
joline	Joline Dough	`dough@gmail.com`

The email address dough@gmail.com exists for two user accounts; once as a user ID (for John) and once as an email address (for Joline).

John can log in with both dough@gmail.com and jdough@mycompany.org.
Joline can only log in with the user ID 'joline'.

Was this article helpful?