Access Control
Federated authentication is neither a new or unique concept. For instance, users of TweetPhoto do not need to create a separate account to log in – we can instead use our account from one of several popular social sites to log in at TweetPhoto, even though they are all separate and distinct companies.
 |
When the Sign in with Twitter button is clicked, we're transferred to Twitter, and the URL contains an authentication token in the querystring. We'll look more at the OAuth protocol and these tokens later in this chapter, but sufficient to say for now, Twitter is the identity provider of the Twitterverse.
 |
As an additional confirmation step, Twitter requires confirmation for the partner site to access a user's account, as seen in the following screenshot. This is a very good idea when there is user interaction, but for unattended systems this won't be possible. Fortunately, Access Control can be preconfigured to provide access using shared keys.
 |
As the logins of these services...
