Introduction to Authentication
Introduction to authentication
Authentication is the process of verifying the identity of a user: is someone or something who or what they claim to be?
Types of authentication
There are two types of authentication:
-
User Authentication - This is the process of verifying the identity of the end-user of your application. The Thinkwise Platform supports several methods of user authentication. You can select one in the menu Authorization > Users > tab Form > group Authentication:
- Local authentication - RDBMS (the database environment does the authentication), Kerberos, Windows
- IAM - IAM does the authentication. Users are only registered in IAM and not in the database. The password is securely stored in the IAM database.
- External (also known as Single Sign-On) - the entire authentication process is outsourced to an external identity server through OpenID Connect.
-
Delegated Access - This is the process of authenticating third party applications to allow them access to your application. The Thinkific Platform supports several methods of delegated access:
- Client applications - Machine-to-machine access or on behalf of an end user.
- Personal Access Tokens (PATs) - Users can give third parties access to your application on their behalf.
Which authentication method should you use?
When you are setting up authentication for your application, you need to consider the following:
-
Do you want to authenticate a person or an external party?
- To authenticate a person, use User Authentication.
- To authenticate an external party, use Delegated Access.
-
To authenticate a person, decide whether to use:
- Local authentication (RDBMS, Kerberos, Windows)
- IAM
- External authentication (Single Sign-On with OpenID Connect). See OpenID Connect.
-
To authenticate an external party, is that between applications or on behalf of an end user?
- Between applications, use client applications with the grant type
Client Credentials
. See Client applications. - If the end user is not allowed to set up the connection to another application, use client applications with the
Authorization Code
variant. See Client applications. - If the end user is allowed to set up the connection to another application, use
Personal Access Tokens
(PATs). See Personal Access Tokens.
- Between applications, use client applications with the grant type
Or, visually (click to enlarge):
Authentication flow diagram
Select an authentication type for a user
main administrator user administratorTo select an authentication type for a user in IAM:
menu Authorization > Users > tab Form > group Authentication
-
Select a user.
-
Select the authentication type and fill in the required fields.
- For all login and password settings for a user, see Login and password
- For IAM, also execute the task Update password to set or update the password. See also The same email address for two users.
- For RDBMS, also create an initial password. See Initial password.
- To specify a different authentication type for an application database,
set the extended property
Authentication
for the application in IAM. See Extended properties.
For more information about the configuration and use of external authentication and delegated access, see:
The same email address for two users
Always try to prevent using the same email address for two user accounts.
If you selected IAM as the authentication type for a user, an email address can be used as a user ID. However, if that email address is also used as an email address for another user account, the user ID will be preferred over the email address.
Example:
user ID | name | email address |
---|---|---|
dough@gmail.com | John Dough | jdough@mycompany.org |
joline | Joline Dough | dough@gmail.com |
The email address dough@gmail.com
exists for two user accounts; once as a user ID (for John) and once as an email address (for Joline).
- John can log in with both
dough@gmail.com
andjdough@mycompany.org
. - Joline can only log in with the user ID 'joline'.