SAML vs OAuth vs OpenIdConnect

 

SAML vs. OAuth

SAML (Security Assertion Markup Language) is an alternative federated authentication standard that many enterprises use for Single-Sign On (SSO). SAML enables enterprises to monitor who has access to corporate resources.

There are many differences between SAML and OAuth. 

• SAML uses XML to pass messages, and OAuth uses JSON. 
• OAuth provides a simpler mobile experience, while SAML is geared towards enterprise security. 
• OAuth uses API calls extensively, which is why mobile applications, modern web applications, game consoles, and Internet of Things (IoT) devices find OAuth a better experience for the user. SAML, on the other hand, drops a session cookie in a browser that allows a user to access certain web pages – great for short-lived work days, but not so great when have to log into your thermostat every day.

OAUTH 2.0 Detailed Flow 

See Solid/Broken Lines 

OAUTH 2.0 Terminologies

OAuth Implicit Flow - See We actually handover Token directly over Front Channel 

Why We have "Authorization Code" and "Authentication Token" separate ?

• Back Channel - A very secure Channel - Backend to Backend
• Front Channel - A not very secure channel - Frontend to Backend

Overuse of OAUTH for Authentication? How to solve it ?

OAUTH  for Authentication is a hack 
OAUTH - is designed for Authorisation/Scope.
Social Login -> Google Login / Facebook Login -> Custom Solution - Overuse / Hack
Delegated Authorization - OAUTH - Solves it very Well
Designers of OAUTH Standard extended OAUTH and added Authentication capabilties and it  became - OpenIDConnect 
5-10% Extra Extension to OAUTH2.0 = OpenIdConnect

AccessToken - OAuth2.0

IdToken  - OpenIDConnect

User ---> OAUTH ---> SAML  use case [OAUTH + SAML , Together]

References

https://www.okta.com/identity-101/saml-vs-oauth/

https://www.varonis.com/blog/what-is-oauth/

https://speakerdeck.com/nbarbettini/oauth-and-openid-connect-in-plain-english    [All Slides Here]

https://www.youtube.com/watch?v=3pZ3Nh8tgTE