TheArchitect.co.uk - Jorgen Thelin's weblog

Delegated Authentication or Delegated Authorization?

Some people think that the Live ID Team accidentally chose the wrong name when we released the Windows Live ID Delegated Authentication (DelAuth) SDK back in February, but in actuality a lot of thought and consideration went into that choice of name.

For the public record, let me explain the reasons (in no particular order below) for why we ended up calling it authentication (authN) rather than authorization (authZ).

• In reality, DelAuth covers aspects of both authentication (authN) and authorization (authZ)
• A user grants consent for a third-party application provider to act on their behalf (which is really authZ).
  Then when the app wants to make those actions on the users behalf, that app needs to authenticate themselves to the resource provider (in some manner).
  The app authenticates themselves (authN) to the resource provider by presenting a ticket - similar in concept to a user authentication token, but in the case of DelAuth the Delegation Token is used.
• The Delegation Token identifies and proves the binding of the tuple: (app, user, action)
  It's the subsequent interpretation of the action component by the resource provider that is the real authZ part of this picture.
• It is fully expected that a resource provider will perform additional authorization checks (authZ) beyond checking of the action in the DelAuth ticket - and that's exactly what Live Contacts does with it's fine-grained permission / privacy model, for example.
• There is a nice symmetry in the Live ID authentication models with the current naming conventions:
  • Live ID Client Authentication for smart clients
  • Live ID Web Authentication for users
  • Live ID Application Authentication for applications operating on their own behalf
  • Live ID Device Authentication for devices operating on their own behalf
  • Live ID Delegated Authentication for applications operating on behalf of particular users

So, one could easily argue that Delegated Authorization would be equally inappropriate too because it doesn't account for the authN part of the above picture!

Luckily the short form of the name (DelAuth) is ambiguous about whether the "auth" part refers to authN or authZ, so if it helps you can read it which ever way you feel most comfortable with. :-)