Authentication and authorization

apaleo connect allows hotels to connect your application with apaleo with a click of a button. For you, this means getting a new hotel connected is no work at all. Like, zero. No mapping of client credentials, no paperwork, nothing. Let’s understand authentication and authorization and how you can use the apaleo Identity API to authenticate and authorize users in your apps.

Authentication is the process of proving your identity. apaleo Identity API implements the OpenID Connect protocol for handling authentication.

Authorization is about granting an authenticated person or app the permission to do something. It specifies what data you’re allowed to access and what you can do with that data. apaleo Identity API implements the OAuth 2.0 for handling authorization.

OAuth vs. OpenID Connect: OpenID Connect is built on top of OAuth 2.0, so the terminology and flow are similar between the two. You can even both, authenticate a user (by using OpenID Connect), and get authorization to access a protected resource that the user owns (by using OAuth 2.0) in one request. For more information, see OAuth 2.0 and OpenID Connect basics.

apaleo’s Identity API can be used for both authentication and authorization. Our OAuth 2.0 implementation for authentication conforms to the OpenID Connect specification.

OAuth 2.0

The apaleo APIs use OAuth 2.0 to authenticate and authorize users to make requests. The OAuth 2.0 Framework describes patterns for granting authorization but does not define how to actually perform authentication.

Well, OpenID Connect brings some sanity to the madness. It provides a template for interoperability that makes it easy to incorporate identity management seamlessly and securely.

OpenID Connect

OpenID Connect extends the OAuth 2.0 authorization process for use as an authentication protocol so that you can do single sign-on using OAuth. It is a simple identity layer built on top of the OAuth 2.0 protocol, which allows authorization servers to authenticate users for applications and return the results in a standard way.

OpenID Connect introduces the concept of an ID token. It is a security token that allows the client to verify the identity of the user. The ID token also gets basic profile information about the user.

You must remember that OpenID Connect is just a special, simplified case of OAuth, not a replacement. It uses the same terminology and concepts.