Glossary

This glossary defines key terms and concepts used throughout the Oten IDP Integration Guide.

A

Access Token A short-lived token that grants access to protected resources. Typically expires in 15-60 minutes and is used in API calls to authenticate requests.

API (Application Programming Interface) A set of protocols and tools for building software applications. In the context of SSO, APIs are used to exchange tokens and retrieve user information.

Authentication The process of verifying who a user is. This typically involves checking credentials like username and password.

Authorization The process of determining what a user is allowed to do. This happens after authentication and involves checking permissions and roles.

Authorization Code A temporary code issued by the IDP after successful authentication. This code is exchanged for tokens and typically expires in 10 minutes.

Authorization Server The server that issues access tokens after successfully authenticating the user and obtaining authorization. In our case, this is Oten IDP.

C

Client An application that requests access to protected resources on behalf of a user. Can be confidential (server-side) or public (client-side).

Client ID A public identifier for your application, issued by Oten when you register your app. Safe to include in client-side code.

Client Secret A private key for your application, used to authenticate your app to the authorization server. Must be kept secure and only used in server-side code.

CORS (Cross-Origin Resource Sharing) A mechanism that allows web pages to make requests to a different domain than the one serving the page. Important for SPA implementations.

CSRF (Cross-Site Request Forgery) A type of attack where unauthorized commands are transmitted from a user that the web application trusts. Prevented using the state parameter.

F

Federated Identity A system where user identities are shared across multiple organizations or systems through trust relationships.

Flow The sequence of steps in an OAuth 2.0 authentication process. Common flows include Authorization Code Flow and Implicit Flow.

I

ID Token A JWT token that contains information about the authenticated user. Used in OpenID Connect to provide identity information to the application.

IDP (Identity Provider) A service that manages user identities and provides authentication services. Oten IDP is our identity provider.

Implicit Flow An OAuth 2.0 flow where tokens are returned directly in the URL fragment. Less secure than Authorization Code Flow and generally deprecated.

J

JWT (JSON Web Token) A compact, URL-safe token format that contains claims about a user. Used for ID tokens and sometimes access tokens.

JWKS (JSON Web Key Set) A set of public keys used to verify JWT signatures. Oten publishes its JWKS at a well-known endpoint.

O

OAuth 2.0 An authorization framework that enables applications to obtain limited access to user accounts. The foundation for modern SSO implementations.

OIDC (OpenID Connect) An identity layer built on top of OAuth 2.0 that provides authentication and user information through ID tokens.

P

PKCE (Proof Key for Code Exchange) A security extension to OAuth 2.0 that prevents authorization code interception attacks. Required for public clients like SPAs and mobile apps. See the PKCE Implementation Guide for complete implementation details.

Public Client An OAuth 2.0 client that cannot securely store credentials. Examples include single-page applications and mobile apps.

R

Redirect URI The URL where users are sent after authentication. Must be registered with Oten and match exactly in OAuth requests.

Refresh Token A long-lived token used to obtain new access tokens when they expire. Helps maintain user sessions without requiring re-authentication.

Resource Server A server that hosts protected resources and accepts access tokens. Your application's API endpoints act as resource servers.

S

Scope Defines the level of access that an application is requesting. Common scopes include 'openid', 'profile', and 'email'.

SPA (Single Page Application) A web application that loads a single HTML page and dynamically updates content. Examples include React, Vue, and Angular applications.

SSO (Single Sign-On) An authentication method that allows users to log in once and access multiple applications without re-entering credentials.

State Parameter A random value used to prevent CSRF attacks in OAuth flows. Generated by the client and validated when the user returns.

T

Token A string that represents authorization to access resources. Types include access tokens, refresh tokens, and ID tokens.

Token Endpoint The Oten endpoint where authorization codes are exchanged for tokens. Used in the server-to-server communication.

Two-Factor Authentication (2FA) An additional security layer that requires users to provide a second form of identification beyond their password.

U

User Agent The client application that acts on behalf of the user, typically a web browser or mobile app.

UserInfo Endpoint An OAuth 2.0 endpoint that returns claims about the authenticated user when presented with a valid access token.

W

Workspace A logical grouping within Oten that represents an organization, project, or environment. Users can belong to multiple workspaces.

Common Acronyms

Related Standards and RFCs

• RFC 6749: OAuth 2.0 Authorization Framework

• RFC 7636: Proof Key for Code Exchange (PKCE)

• RFC 7519: JSON Web Token (JWT)

• RFC 7517: JSON Web Key (JWK)

• OpenID Connect Core 1.0: Identity layer specification

Need clarification on any term? Contact our Support Team for additional help