Authentication 🪪

Authorization protocols

FeatureSAMLOAuth2.0OIDC
PurposeFederated identityDelegated authorizationBoth
ProtocolXMLJSONJSON
AuthenticationAuthorization code, SSOAuthorization code, implicit, password, client credentialsWhat OAuth2 supports + ID token, Userinfo endpoint
ScopeIdentityAccess to resourcesAccess to resources
StatelessYesNoNo
ComplexityMore complexLess complexLess complex
PopularityMore popular in enterprise environmentsMore popular in consumer environmentsGaining popularity in both enterprise and consumer environments
Release date200520072014

Notes:

  • As described in the Authentication row, OIDC is a superset of OAuth, it supports all the features of OAuth and user's identity on top of it.

OAuth2

OAuth2 suits API authorization and modern application contexts

Authenticate with your credentials

{
	"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ...",
	"token_type": "Bearer",
	"expires_in": 3600,
	"refresh_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ..." // optional
}
  • access_token: short-lived token used to authenticate requests to protected resources.
  • refresh_token: long-lived token that can be used to obtain a new access token when it expires.

Decode your access token

(Click on the different types of token to know more)


Opaque tokens - Random string tokens. The authorization server looks up the token in a database to validate it.
# e.g. Generated UUID
457b7a71-2639-4d26-9bde-bab761132c58
JSON tokens - Simple JSON objects with claims. Not signed/encrypted like JWT.
{
    "iss": "https://server.example.com",
    "sub": "1234567890",
    "exp": 1516265022,
    "scopes": ["read","write"]
}
JWT (JSON Web Tokens) - Cryptographically sign the JSON claims to ensure integrity

Structure

{
    "access_token": "${Header}.${Payload}.${Signature}" // Each component is base64-encoded.
    ...
}

Components

{"alg": "RS256", "typ": "JWT"}
{
    "aud": "my-project",
    "iat": 1509654401,
    "exp": 1612893233
}
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Integrity verification

header, payload, signature = jwt.decode(token, public_key, algorithms="RS256")
hash = jwt.algorithms.RS256(header + payload).digest()
if signature == hash:
    return True

More on https://jwt.io/introduction


SAML

SAML excels at browser SSO within organizations

Authenticate with your credentials

  1. Your Service Provider is redirecting you to the selected Identity Provider.

  2. Once you successfully authenticated against your preferred Identity Provider, it will return a SAML assertion similar to the one below.

    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_1234567890" Version="2.0" IssueInstant="2023-08-03T13:25:56.077Z">
      <saml:Issuer>https://idp.example.com</saml:Issuer>
      <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">johndoe</saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
          <saml:SubjectConfirmationData NotOnOrAfter="2023-08-03T14:25:56.077Z" Recipient="https://sp.example.com/acs"/>
        </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Conditions NotBefore="2023-08-03T13:25:56.077Z" NotOnOrAfter="2023-08-03T14:25:56.077Z">
        <saml:AudienceRestriction>
          <saml:Audience>https://sp.example.com</saml:Audience>
        </saml:AudienceRestriction>
      </saml:Conditions>
      <saml:AuthnStatement AuthnInstant="2023-08-03T13:25:56.077Z" SessionIndex="_1234567890">
        <saml:AuthnContext>
          <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
        </saml:AuthnContext>
      </saml:AuthnStatement>
    </saml:Assertion>
  3. Your browser will automatically redirect using the redirect URL back to your Service Provider with the SAML assertion.

  4. Your Service Provider verifies the SAML assertion to identify the user and its resource permissions, if successful you are logged in with granted access to resources you're allowed to read or alter.