[MUSIC] Stuart Kwan: Hi. My name’s Stuart Kwan and I’m a Program Manager on the Azure Active Directory team and in this video, we’re going to look at some of the basic concepts of modern authentication. Now before modern authentication existed, you would have a client and a server and usually what would happen is a user who is using the client would do something like present a name and password to the server. And this was cumbersome because if there were many servers, the user would have to present their name and password to many servers. Many servers would need to know the name and password. Often, you would end up with multiple names and different names and passwords across all these different servers. So with modern authentication, we introduce a new player in the setup, a thing called an identity provider. And what we’re trying to do changes; we’re no longer going to send a name and password to the server. Instead, the client is going to go and get a thing called a security token from the identity provider. And the way that it does that might be by say presenting a name and password to the identity provider. It might be by using a smart card. It might be by using an authenticator app on a phone. It doesn’t matter. However, there is a contract between the client and the identity provider. We can get this thing called a security token from the identity provider and then the client presents that security token to the server. The server is then able to take that security token and validate that it’s a legitimate security token because the server has a trust relationship with the identity provider. And that trust relationship says that this server can either say send the token to the identity provider to get it validated or simply knowledge of the identity provider’s sign-in key is enough to check the cryptographic signature on the token. So, actually, what is a token? A token is a signed document, a cryptographically signed document, and it contains these things about the person using the client that are called claims. And claims are simply information about that identity that’s calling the server, and it doesn’t actually have to be a person. It could be a device. It could be a software process, any of these things are an identity that might be acting at the server. So, claims are just attribute value pairs that are information about the identity that’s using the service. There are actually a couple of claims that you’re going to find really commonly in many of these interactions. One of these claims is called the subject. And the subject is usually an immutable, nonreusable identifier that identifies that identity of the caller who’s using the client to call the server. And I say it’s immutable and nonreusable because something like my name could change over time, whereas my identity hasn’t changed despite the fact that my name is changed. So, the subject is that rename safe variant that refers to me. Another claim that’s really interesting or set of claims are things like the issued at claim, which talks about when the token was issued or the expiration, which says when the token is no longer valid. There’s one more claim that is found in most tokens that’s really important to understand and it’s a thing called the audience. The audience claim tells this server that this token is for it and not some other server, like let’s say this is server 1, but there’s also a server 2, server 3, server N in the environment. If there was no audience in the token and I received a token about some subject at server 1, what stops me from simply forwarding that token to some other server and pretending to be whoever that identity was at the client? The audience claim prevents that from happening because if I ever receive a token and the audience isn’t written to me, then I know to just throw the token on the floor. So, these are some of the basic concepts in modern authentication. Actual concrete usage depending on what kind of client and what kind of server we’re using, we’re going to see different exact protocol flows that we’ll look at in subsequent videos. But for now, that’s been a quick look at the concepts of modern authentication.
