Delegated authentication

Over the next few days we are going to talk about delegated authentication. For modern standards this falls under “What you know”. See What is authentication for further discussion.

To illustrate what delegated authentication is we will start with an all too common story. We introduce you to Mary

Mary loves social media, uploading her pictures on facebook, instagram and then tweeting them. However she is a very busy lady and does not like the work of uploading the same file to multiple servers.

As a tech savvy developer eager to impress your skills on her, you figure you can help her automate this task. The most easiest way forward would be to ask her for passwords for her three accounts then, when she uploaded a picture to your service, your service would automatically post it on all three platforms.

You immediately hit a snag with this approach, as it turns out Mary is not particularly fond of giving her password out to strangers no matter how tech savvy!

On further inspection you find out this is because she is afraid you will not only post the photos she has instructed you to, you will also go through her other stuff.

But what if you could assure her that you need access to posting photos only and not to the rest of her stuff. Prior to 2006 this just wasn’t possible but today that is exactly what delegated authentication does.

In delegated authentication you are the owner but not the direct consumer of a certain resource. To continue we must first define some key terms used in this paradigm.

  • Resource: A digital activity or data in our case this would be posting the photo
  • Delegator: This is the owner of the resource in our case here, that would be Mary
  • Delegate: The delegate wants to access the resource
  • Service provider: Hosts the resource and validates legitimacy of the delegate

It is entirely possible to build out your own delegated authentication service, however you are likely to run into interoperability problems pretty quickly. Thankfully there exists standards for this kind of authentication we will be speaking about in a later entry.

Signup to make sure you don’t miss it.

Have you ever been in the same situation as out tech savvy developer? How did you handle it? Talk to us in the comments below.


Published by


Software Project Manager