How-tos

Caching Authentication Context

This article helps you understand the concept of the stateful authorization and motivations behind its application. Also, you can find here a short instruction on how to enable this feature per IDP (identity provider) in the Cloudentity admin portal.

Stateless Authentication Recap

Here’s how Cloudentity supports the authentication flow in a nutshell:

  1. The user launches an application (with an OAuth client).
  2. To get access to APIs, the application requests a token from Cloudentity.
  3. Cloudentity calls IDP to enable the user to log in.
  4. The user gets authenticated.
  5. IDP responds to Cloudentity with information including the user attribute.
  6. Cloudentity maps the feedback data from IDP and issues a token.

Since Cloudentity is stateless by default and caches no user’s data, it needs to call IDP every time the user wants to re-authenticate during one session to, for example, request another scope.

Stateful Authorization with Cloudentity

The stateful authorization feature allows to store the user’s authentication data, including the login status, locally in Cloudentity. With this feature enabled, Cloudentity can cache the user’s data and issue multiple tokens during one user’s session without re-authenticating the user.

With the stateful authorization, the efficiency of issuing tokens in Cloudentity is significantly improved by minimizing latency and performance degradation related to repetitious calls to IDPs.

Dynamic Auth Flows

Recent trends in standards for the token-based access control show the inclination to the fine-grained token issuance and starts favoring short-lived tokens issued for a specific purpose.

The use of the stateful authorization is particularly vital in the context of dynamic authN/authZ flows. The dynamic flows, as opposed to traditional ones, can support multiple access tokens per client application’s session. In the traditional flows, the client requests a token when the user launches the app and continues with this token and its initial list of scopes. In the dynamic flows, during one session, the client application can requests multiple tokens: each for accessing a different application component. This so called intent-based authentication often supports online payment services and the use of dynamic scopes.

Enable Stateful Authz in Cloudentity

Note

In Cloudentity, the stateful authorization feature is disabled by default.

In the Cloudentity portal, you can enable the stateful authorization per IDP and configure for how long the user’s data stay cached in Cloudentity. To leant how to make this feature work in Cloudentity, either see the video or study the instruction.

Video

Procedure

  1. Select Identity Data > Identity Providers from the sidebar.

  2. In the Identities view, select an identity provider (IDP) that you want to configure.

  3. Select the Authentication Context Caching toggle.

  4. Set the time for keeping the user’s data cached in Cloudentity.

    Note

    Set a non-zero value for the time. Otherwise, the feature gets disabled automatically.

  5. Select Save.

Further Reading