Strategies#

Strategies are the way Security Portal can authenticate a user. They provide the interface between Security Portal and the Identity Management System where the user credentials and security information exist.

Multiple strategies can be simultaneously configured for the same tenant, increasing the number of authentication sources without the need of complex configuration.

Supported Strategies#

At this moment, the supported strategies are:

• Microsoft Entra ID / Office 365 (OAuth2)
• Barcode
• Local authentication
• Open ID Connect
• Webauthn

On top of these strategies, the currently supported 2-factor authentication mechanisms are:

• Static PIN
• TOTP ⧉ Code

The system is prepared to allow extensibility of the client-side structure that can be used for the connections to the Security Portal. Currently, the use of JSON web tokens allows flexible configuration of the authorization handling procedures.

In the approach implemented by Critical Manufacturing, a frontend server (an authorization server and an OpenID provider) utilizes a backend service which provides APIs to help the frontend server implement OAuth 2.0 and OpenID Connect. One of the main advantages of using this particular architectural pattern lies in the use of the core part of OAuth 2.0 and OpenID Connect implementation with a clear separation from other technical components such as identity management, user authentication, login session management, API management and fraud detection. This way, any customer can develop different platforms for authorization of their own clients using the Security Portal, provided that the supplied methods for remote authorization are used in their own implementations. Open ID Connect is then used as a way to provide a secure mechanism for an application to contact an identity service, retrieve details from a specific user, and return them back to the application securely.

The use of JSON Web Tokens (JWT) allows flexibility and secure data information transmission through the network boundaries. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains.

More information can be gathered through these web pages:

• Tutorial on OAuth 2.0 authorization code (with refresh token) flow ⧉
• Authorization Code Flow with Proof Key for Code Exchange (PKCE) ⧉
• JSON Web Tokens ⧉