Glossary

ABAC is an evolution of RBAC (role-based access control). RBAC works well in small, simple deployments but tends to fail when you need to scale up or when you have relationships.  For example, allow users in the author role to edit documents, but only if they are in the same department as the creator.

ABAC is policy-based in the sense that it uses policies rather than static permissions to define what is allowed or what is not allowed.

Other examples include:

• A user can view a document if the document is in the same department as the user
• A user can edit a document if they are the owner and if the document is in draft mode
• Deny access before 9am

Abbreviated Language for Authorization, created by Pablo Giambiagi to provide a human-readable form of OASIS XACML format for defining ABAC policies.  See Wikipedia for more details

ASP.NET is an open source web framework developed by Microsoft. It lets developers create modern websites and applications.

Client to Authenticator Protocol (CTAP) is a FIDO standard that defines an application layer protocol for communicating with external FIDO authenticators (security keys).

FIDO is a modern standard for user authentication. A FIDO authenticator allows the generation of a cryptographic private/public key pair. Unlike password-based systems where a shared secret (password) is held by both users and the website, the private key never leaves the user’s possession.

A single sign-on open-source framework that enables you ASP.NET Core website to act as an OpenID Provider and OAuth authorization server.

JSON Web Token (JWT, sometimes pronounced JOT) is an internet standard for creating structured, JSON-based tokens. OAuth access tokens are typically JWTs and must be signed by the issuer using a private key and validated by the recipient using a public key, to verify integrity.

The National Institute of Standards and Technology (NIST) is a US standards body, that encompasses topics such as cryptography and web security.

A protected resource is something that is protected by an OAuth authorization server, such as IdentityServer. A protected resource is typically an HTTP API.

Role Based Access Control, provides a security model of assigning users and permissions to a role.  All users of a given role obtain the permissions associated with the role.  RBAC works well for coarse-grained access control.  

SaaS means Software-as-a-service but is also known as "on-demand software". SaaS products are typically licensed on a subscription basis. SaaS is hosted centrally in the cloud to reduce the need to download or self-host these applications and websites.

SSO refers to Single Sign-On. SSO is a user authentication service, which lets a user log in with one set of credentials to multiple applications or websites.

A Trusted Platform Module is a chipset mounted onto the motherboard of the computer. It is an international standard for a secure cryptoprocessor a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.

Two-Factor Authentication (2FA) adds another layer of security to protect an account or system. Users must authenticate using two different factors, such as something you know (a password), something you are (biometrics), and something you have (a FIDO security key).

Also known as Multi-Factor Authentication (MFA)

Universal Second Factor (U2F) is the original technology behind FIDO1. FIDO2 builds upon U2F with wider support and the W3C standard WebAuthn.

WebAuthn is a W3C standard and part of FIDO2. WebAuthn is a JavaScript built into most browsers that allow a FIDO relying party or server, to challenge a FIDO authenticator to register or authenticate.

EXtensible Access Control Markup Language.  Created by OASIS, provides a serialization format for defining Attribute-based Access Control (ABAC) policies.