Demo Virtual Machine
This documentation use a certain terminology that you should be aware of.
The IdentityServer is an OpenID Connect provider – it implements the OpenID Connect and OAuth 2.0 protocols. Different literature uses different terms for the same role – you probably also find security token service, identity provider, authorization server, IP-STS and more. But they are in a nutshell all the same: a piece of software that issues security tokens to clients.
The IdentityServer is an embedded part of BiG EVAL and has a number of jobs regarding the security implementation of BiG EVAL:
- protect resources
- authenticate users
- provide session management and single sign-on
- manage and authenticate clients
- issue identity and access tokens to clients
- validate tokens
A user is a human that is using the BiG EVAL frontend to access the features and resources.
A client is a piece of software – either a script or a compiled program – that interacts with resources. A client must be first registered in BiG EVAL and needs to get an access token before it is able to access resources.
Examples for clients are:
- PowerShell Scripts
- Applications (.NET / JS / or anything else that is able to establish HTTP-communication)
- SSIS-Packages (or other Integration-Software-Flows)
A resource is an object of BiG EVAL (e.g. Test, Suite, Testresult etc.) that is protected by the IdentityServer. During the authentication and authorization process, the client requests access to resources.
Depending on its security permissions, a client is able to create, update or delete resources.
Every resource has a unique name – and clients use this name to specify to which resources they want to get access to.
An identity token represents the outcome of an authentication process. It contains at a bare minimum an identifier for the user (called the sub aka subject claim) and information about how and when the user authenticated. It can contain additional identity data.
An access token allows access to an API resource. Clients request access tokens and forward them to the API. Access tokens contain information about the client. The API uses that information to authorize access to their data.