OAuth 2.0 , OpenID Connect and SAML — An Overview!
This article is for techies who understand the difference between Authentication and Authorization. Just in case you want to refresh, check this : https://auth0.com/docs/flows. When a website or web app is developed, there comes some Identity use cases, such as Authentication, Single-Sign-On, Delegate Authorization, Single-Log-Out. And as a solution of these we have OAuth 2.0, OpenID Connect and SAML. Let’s check them!
OAuth 2.0
The actual problem : Let’s assume you used a website, where the website requests you to select some third party applications and provide user id and password, so that they can access your contacts and work internally on their branding and promotion. If you select any prime account of yours, like Google or Facebook, you authorized the website to take actions on your account, which in case is the worst that you could do to yourself. This approach came into picture 12 years back for few startups. Just to let you know, still some eastern banks go for this mechanism.
note : For this case, I will refer SP as ‘website’ and IDP as ‘Google’
Here as a solution OAuth came into picture.
- In this, the website routes the user to google sign in page, asks permission for the contact access.
- If user clicks on ALLOW, google sends back a code along with callback URL to the website.
- Since this code is subjected to be tampered (as it is present on the UI flow and can be manipulated using dev tools ).
- Now this code is exchanged by website’s server in return of token with Google.
- This token is the correct access of the contact or desired request by the browser. This is the mechanism of OAuth.
OAuth 2.0 is a framework for authorizing third party applications to access user’s account.
Here the request is the resource we want to access like contacts. Response is the grant code that will be shared with application server. Callback URL will redirect to website. Client id is the unique user id provided to user by Google.
OpenID Connect
It is a protocol based on the top of the mechanism followed by OAuth 2.0. It is used for Authentication of User via retrieving Identity from the third party IDP/GOOGLE. Here Response is the OpenID User profile , email or both. When the server exchanges the code , it receives back JWT(json web token) containing user profile along with Access Token. OpenID is preferred for Mobile Identity Use cases. JWT is passed as light weight web security token via HTTP in a RESTful communication.
SAML
It is also a authentication mechanism, specially used at Enterprise level for SSO(Single Sign on) or SLO(Single Logout). SAML is Security Assertion Markup Language which is an Open Standard allowing IDP to provide federated identity of user so that he can be authenticated into a SP. In plain english, saml is a XML file that is sent by IDP as an assertion containing digitally signature and member lookup values. Because of the trust relationship established between IDP and SP, SP identifies the user and allows the SSO with IDP credentials. Note : format of member lookup value sent in assertion should be same as what is required by SP. The member details, attributes, certificates and encryption policy is decided by both ends as a part of SSO/SLO configuration. All these details are shared in the form of Metadata. The signing of assertion / response / both is also decided during configuration.
Thank you for reaching till this line!
Follow me on medium and LinkedIn(linkedin.com/in/shiwani-sinha-28b842171), to get more interview preparation materials and insights.