Identity Fundamentals

This guide explains the core concepts behind modern authentication and authorization.

What is IAM?

Identity and Access Management (IAM) answers two questions:

Who is this user? (Authentication)
What can they do? (Authorization)

┌─────────────────────────────────────────────────────────┐
│                    Your Application                      │
├─────────────────────────────────────────────────────────┤
│                                                          │
│   User → [Authentication] → [Authorization] → Resource  │
│           "Who are you?"    "What can you do?"          │
│                                                          │
└─────────────────────────────────────────────────────────┘

Authentication vs Authorization

Concept	Question	Example
Authentication (AuthN)	Who are you?	Login with email/password
Authorization (AuthZ)	What can you do?	Can view dashboard, cannot delete users

Key Concepts

1. OAuth 2.0

OAuth 2.0 is an authorization framework that allows applications to access resources on behalf of users without exposing their credentials.

Analogy: Instead of giving someone your house key, you give them a temporary access card that only opens certain doors.

2. OpenID Connect (OIDC)

OIDC is an identity layer on top of OAuth 2.0. While OAuth handles authorization (access to resources), OIDC handles authentication (who the user is).

OAuth 2.0        → Access Token  → "You can access the API"
OpenID Connect   → ID Token      → "You are john@example.com"

3. Tokens

Authentication systems use tokens to represent identity and permissions:

Token Type	Purpose	Contains
Access Token	Authorize API requests	User ID, scopes, expiration
ID Token	Identify the user	Email, name, profile info
Refresh Token	Get new access tokens	Long-lived, single-use

Learn more: Tokens Explained

4. Single Sign-On (SSO)

SSO allows users to log in once and access multiple applications without re-authenticating.

User logs in to Optare
        ↓
Access App A ✓ (no login needed)
Access App B ✓ (no login needed)
Access App C ✓ (no login needed)

5. Multi-Factor Authentication (MFA)

MFA requires multiple forms of verification:

Something you know - Password
Something you have - Phone, hardware key
Something you are - Fingerprint, face

The Authentication Flow

Here's what happens when a user logs in:

1. User clicks "Log In"
        ↓
2. Redirect to Optare ID
        ↓
3. User enters credentials
        ↓
4. Optare validates credentials
        ↓
5. Redirect back with authorization code
        ↓
6. Your app exchanges code for tokens
        ↓
7. User is logged in!

This is called the Authorization Code Flow - the most secure flow for web apps.

B2B vs B2C

Model	Users	Example
B2C	Individual consumers	Netflix, Spotify
B2B	Business users in organizations	Slack, Notion

Optare is designed for B2B SaaS where:

Users belong to organizations
Organizations have their own settings
Users have roles within organizations

Next Steps

Tokens Explained - Deep dive into access, ID, and refresh tokens
Multi-Tenancy - How B2B organizations work
Authentication Flows - Different auth flow types

Token Vault Marketplace Integration