> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/identity-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/identity-support/integration/prerequisites/appendix/glossary.md).

# Glossary

This glossary defines key terms and concepts used throughout the Oten IDP Integration Guide.

## A

**Access Token** A short-lived token that grants access to protected resources. Typically expires in 15-60 minutes and is used in API calls to authenticate requests.

**API (Application Programming Interface)** A set of protocols and tools for building software applications. In the context of SSO, APIs are used to exchange tokens and retrieve user information.

**Authentication** The process of verifying who a user is. This typically involves checking credentials like username and password.

**Authorization** The process of determining what a user is allowed to do. This happens after authentication and involves checking permissions and roles.

**Authorization Code** A temporary code issued by the IDP after successful authentication. This code is exchanged for tokens and typically expires in 10 minutes.

**Authorization Server** The server that issues access tokens after successfully authenticating the user and obtaining authorization. In our case, this is Oten IDP.

## C

**Client** An application that requests access to protected resources on behalf of a user. Can be confidential (server-side) or public (client-side).

**Client ID** A public identifier for your application, issued by Oten when you register your app. Safe to include in client-side code.

**Client Secret** A private key for your application, used to authenticate your app to the authorization server. Must be kept secure and only used in server-side code.

**CORS (Cross-Origin Resource Sharing)** A mechanism that allows web pages to make requests to a different domain than the one serving the page. Important for SPA implementations.

**CSRF (Cross-Site Request Forgery)** A type of attack where unauthorized commands are transmitted from a user that the web application trusts. Prevented using the state parameter.

## F

**Federated Identity** A system where user identities are shared across multiple organizations or systems through trust relationships.

**Flow** The sequence of steps in an OAuth 2.0 authentication process. Common flows include Authorization Code Flow and Implicit Flow.

## I

**ID Token** A JWT token that contains information about the authenticated user. Used in OpenID Connect to provide identity information to the application.

**IDP (Identity Provider)** A service that manages user identities and provides authentication services. Oten IDP is our identity provider.

**Implicit Flow** An OAuth 2.0 flow where tokens are returned directly in the URL fragment. Less secure than Authorization Code Flow and generally deprecated.

## J

**JWT (JSON Web Token)** A compact, URL-safe token format that contains claims about a user. Used for ID tokens and sometimes access tokens.

**JWKS (JSON Web Key Set)** A set of public keys used to verify JWT signatures. Oten publishes its JWKS at a well-known endpoint.

## O

**OAuth 2.0** An authorization framework that enables applications to obtain limited access to user accounts. The foundation for modern SSO implementations.

**OIDC (OpenID Connect)** An identity layer built on top of OAuth 2.0 that provides authentication and user information through ID tokens.

## P

**PKCE (Proof Key for Code Exchange)** A security extension to OAuth 2.0 that prevents authorization code interception attacks. Required for public clients like SPAs and mobile apps. See the [PKCE Implementation Guide](https://gitlab.silvertiger.tech/documents/idp/-/blob/main/developer-guide/pkce-implementation-guide.md) for complete implementation details.

**Public Client** An OAuth 2.0 client that cannot securely store credentials. Examples include single-page applications and mobile apps.

## R

**Redirect URI** The URL where users are sent after authentication. Must be registered with Oten and match exactly in OAuth requests.

**Refresh Token** A long-lived token used to obtain new access tokens when they expire. Helps maintain user sessions without requiring re-authentication.

**Resource Server** A server that hosts protected resources and accepts access tokens. Your application's API endpoints act as resource servers.

## S

**Scope** Defines the level of access that an application is requesting. Common scopes include 'openid', 'profile', and 'email'.

**SPA (Single Page Application)** A web application that loads a single HTML page and dynamically updates content. Examples include React, Vue, and Angular applications.

**SSO (Single Sign-On)** An authentication method that allows users to log in once and access multiple applications without re-entering credentials.

**State Parameter** A random value used to prevent CSRF attacks in OAuth flows. Generated by the client and validated when the user returns.

## T

**Token** A string that represents authorization to access resources. Types include access tokens, refresh tokens, and ID tokens.

**Token Endpoint** The Oten endpoint where authorization codes are exchanged for tokens. Used in the server-to-server communication.

**Two-Factor Authentication (2FA)** An additional security layer that requires users to provide a second form of identification beyond their password.

## U

**User Agent** The client application that acts on behalf of the user, typically a web browser or mobile app.

**UserInfo Endpoint** An OAuth 2.0 endpoint that returns claims about the authenticated user when presented with a valid access token.

## W

**Workspace** A logical grouping within Oten that represents an organization, project, or environment. Users can belong to multiple workspaces.

***

## Common Acronyms

| Acronym | Full Term                         | Description                            |
| ------- | --------------------------------- | -------------------------------------- |
| API     | Application Programming Interface | Set of protocols for building software |
| CORS    | Cross-Origin Resource Sharing     | Browser security feature               |
| CSRF    | Cross-Site Request Forgery        | Type of security attack                |
| IDP     | Identity Provider                 | Authentication service                 |
| JWT     | JSON Web Token                    | Token format                           |
| JWKS    | JSON Web Key Set                  | Public key collection                  |
| OAuth   | Open Authorization                | Authorization framework                |
| OIDC    | OpenID Connect                    | Identity layer on OAuth                |
| PKCE    | Proof Key for Code Exchange       | Security extension                     |
| SPA     | Single Page Application           | Type of web application                |
| SSO     | Single Sign-On                    | Authentication method                  |
| 2FA     | Two-Factor Authentication         | Additional security layer              |

***

## Related Standards and RFCs

* **RFC 6749**: OAuth 2.0 Authorization Framework
* **RFC 7636**: Proof Key for Code Exchange (PKCE)
* **RFC 7519**: JSON Web Token (JWT)
* **RFC 7517**: JSON Web Key (JWK)
* **OpenID Connect Core 1.0**: Identity layer specification

***

**Need clarification on any term?** Contact our [Support Team](https://gitlab.silvertiger.tech/documents/idp/-/blob/main/support/contact-support.md) for additional help
