Auth¶
- Consists of Authentication (AuthN) and Authorization (AuthZ)
- Most popular Authentication methods are SAML and OIDC
OIDC¶
- Based on OAuth2
- Standardizes the use of JWT, claims, scopes and the
/userinfoendpoint - In addition to access token, it also provides ID token which contains claims about the user
- The access token can be used to obtain, if needed, more information about the user
| Feature | OpenID Connect | SAML |
|---|---|---|
| Based on | OAuth2 | Independent of OAuth |
| Uses | JWT | XML |
| Typical uses | Open standard for authentication | enterprises for SSO |
| Examples | google/facebook to authenticate at other websites | corporate login to access SaleForce, WorkDay |
- OpenID Connect uses slightly different terms when compared to OAuth
- OpenID Provider: the authorization server that issues the ID token
- end user: whose information is contained in the ID token
- relaying party: the client application that requests the ID token
- ID Token: contains information about the end-user in the form of claims
- in addition or in place of access and refresh tokens
- Claim is a piece of information about the end user
JWT¶
- Is stateless because claims are encoded in the token itself
- v/s opaque tokens which require accessing OAuth introspection endpoint to validate claims
- token can be validated by the server, or trusted by the signature
- contains claims; most used claims:
- subject: immutable id of the user
- issued at: when the token was issued
- expiration: when the toke expires
- audience: for which SP the token was issued for (prevents malicious SP from forwarding of tokens to other services)