SAML vs. OAuth

SAML (Security Assertion Markup Language) is an alternative federated authentication standard that many enterprises use for Single-Sign On (SSO). SAML enables enterprises to monitor who has access to corporate resources.

There are many differences between SAML and OAuth.

SAML uses XML to pass messages, and OAuth uses JSON.
OAuth provides a simpler mobile experience, while SAML is geared towards enterprise security.
OAuth uses API calls extensively, which is why mobile applications, modern web applications, game consoles, and Internet of Things (IoT) devices find OAuth a better experience for the user. SAML, on the other hand, drops a session cookie in a browser that allows a user to access certain web pages – great for short-lived work days, but not so great when have to log into your thermostat every day.

OAUTH 2.0 Detailed Flow

See Solid/Broken Lines

OAUTH 2.0 Terminologies

OAuth Implicit Flow - See We actually handover Token directly over Front Channel

Why We have "Authorization Code" and "Authentication Token" separate ?

Back Channel - A very secure Channel - Backend to Backend
Front Channel - A not very secure channel - Frontend to Backend

Overuse of OAUTH for Authentication? How to solve it ?

OAUTH for Authentication is a hack
OAUTH - is designed for Authorisation/Scope.
Social Login -> Google Login / Facebook Login -> Custom Solution - Overuse / Hack
Delegated Authorization - OAUTH - Solves it very Well
Designers of OAUTH Standard extended OAUTH and added Authentication capabilties and it became - OpenIDConnect
5-10% Extra Extension to OAUTH2.0 = OpenIdConnect