Authentication 🪪
Authorization protocols
| Feature | SAML | OAuth2.0 | OIDC |
|---|---|---|---|
| Purpose | Federated identity | Delegated authorization | Both |
| Protocol | XML | JSON | JSON |
| Authentication | Authorization code, SSO | Authorization code, implicit, password, client credentials | What OAuth2 supports + ID token, Userinfo endpoint |
| Scope | Identity | Access to resources | Access to resources |
| Stateless | Yes | No | No |
| Complexity | More complex | Less complex | Less complex |
| Popularity | More popular in enterprise environments | More popular in consumer environments | Gaining popularity in both enterprise and consumer environments |
| Release date | 2005 | 2007 | 2014 |
Notes:
- As described in the
Authenticationrow, OIDC is a superset of OAuth, it supports all the features of OAuth and user's identity on top of it.
OAuth2
OAuth2 suits API authorization and modern application contexts
Authenticate with your credentials
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ..." // optional
}access_token: short-lived token used to authenticate requests to protected resources.refresh_token: long-lived token that can be used to obtain a new access token when it expires.
Decode your access token
(Click on the different types of token to know more)
Opaque tokens - Random string tokens. The authorization server looks up the token in a database to validate it.
# e.g. Generated UUID
457b7a71-2639-4d26-9bde-bab761132c58JSON tokens - Simple JSON objects with claims. Not signed/encrypted like JWT.
{
"iss": "https://server.example.com",
"sub": "1234567890",
"exp": 1516265022,
"scopes": ["read","write"]
}JWT (JSON Web Tokens) - Cryptographically sign the JSON claims to ensure integrity
Structure
{
"access_token": "${Header}.${Payload}.${Signature}" // Each component is base64-encoded.
...
}Components
{"alg": "RS256", "typ": "JWT"}{
"aud": "my-project",
"iat": 1509654401,
"exp": 1612893233
}SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cIntegrity verification
header, payload, signature = jwt.decode(token, public_key, algorithms="RS256")
hash = jwt.algorithms.RS256(header + payload).digest()
if signature == hash:
return TrueMore on https://jwt.io/introduction
SAML
SAML excels at browser SSO within organizations
Authenticate with your credentials
-
Your
Service Provideris redirecting you to the selectedIdentity Provider. -
Once you successfully authenticated against your preferred
Identity Provider, it will return a SAML assertion similar to the one below.<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_1234567890" Version="2.0" IssueInstant="2023-08-03T13:25:56.077Z"> <saml:Issuer>https://idp.example.com</saml:Issuer> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">johndoe</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2023-08-03T14:25:56.077Z" Recipient="https://sp.example.com/acs"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2023-08-03T13:25:56.077Z" NotOnOrAfter="2023-08-03T14:25:56.077Z"> <saml:AudienceRestriction> <saml:Audience>https://sp.example.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2023-08-03T13:25:56.077Z" SessionIndex="_1234567890"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> -
Your browser will automatically redirect using the redirect URL back to your
Service Providerwith the SAML assertion. -
Your
Service Providerverifies the SAML assertion to identify the user and its resource permissions, if successful you are logged in with granted access to resources you're allowed to read or alter.