Identity & Access Management

Authentication vs Authorization

• Authentication (AuthN): Who are you?
• Authorization (AuthZ): What can you do?

OAuth 2.0 Flows

Authorization Code (Web Apps)

User -> App -> Auth Server -> User Login
User -> Auth Server -> App (code)
App -> Auth Server (code + secret) -> tokens

PKCE (Mobile/SPA)

Like Authorization Code but with code verifier/challenge instead of secret.