Showing posts with label Difference. Show all posts
Showing posts with label Difference. Show all posts

Wednesday, December 30, 2020

SAML vs OAuth vs OpenIdConnect


SAML vs. OAuth

SAML (Security Assertion Markup Language) is an alternative federated authentication standard that many enterprises use for Single-Sign On (SSO). SAML enables enterprises to monitor who has access to corporate resources.

There are many differences between SAML and OAuth. 

  • SAML uses XML to pass messages, and OAuth uses JSON. 
  • OAuth provides a simpler mobile experience, while SAML is geared towards enterprise security. 
  • OAuth uses API calls extensively, which is why mobile applications, modern web applications, game consoles, and Internet of Things (IoT) devices find OAuth a better experience for the user. SAML, on the other hand, drops a session cookie in a browser that allows a user to access certain web pages – great for short-lived work days, but not so great when have to log into your thermostat every day.

OAUTH 2.0 Detailed Flow 

See Solid/Broken Lines 

OAUTH 2.0 Terminologies

OAuth Implicit Flow - See We actually handover Token directly over Front Channel 

Why We have "Authorization Code" and "Authentication Token" separate ?

  • Back Channel - A very secure Channel - Backend to Backend
  • Front Channel - A not very secure channel - Frontend to Backend

Overuse of OAUTH for Authentication? How to solve it ?

OAUTH  for Authentication is a hack 
OAUTH - is designed for Authorisation/Scope.
Social Login -> Google Login / Facebook Login -> Custom Solution - Overuse / Hack
Delegated Authorization - OAUTH - Solves it very Well
Designers of OAUTH Standard extended OAUTH and added Authentication capabilties and it  became - OpenIDConnect 
5-10% Extra Extension to OAUTH2.0 = OpenIdConnect

AccessToken - OAuth2.0
IdToken  - OpenIDConnect

User ---> OAUTH ---> SAML  use case [OAUTH + SAML , Together]


Azure - Pipeline - Add Approver for Stage