Authorization and Authentication Standards
Many industry professionals are challenged when trying to explain various authorization and authentication standards such as OAuth, OpenID Connect, and SAML to their counterparts or management. This is not to say that they don’t understand the concepts or how they are used but these protocols are so closely related and similar that they may confuse anyone learning about or attempting to promote authorization and authentication standards within their organizations.
Data leaks, security breaches, and other security failures are some of the reasons why improving online security with authorization and authentication standards cannot be emphasized enough. In this article, we look at the following security protocols and describe each standard, its purpose, and how it differs from the other standards:
• OpenID Connect
OAuth Authorization Standard
OAuth is an open-standard authorization protocol that allows a user to share information from an existing system with a new system without having to share the same information repeatedly with new systems.
An example of OAuth in use is when you allow or authorize an application to access another application to access your contact information or profile data. This authorization is enabled when the user allows the Identity Provider to share a token with the new application which remains active until it is revoked.
Internet Engineering Task Force (IETF) originally published OAuth (Open Authorization) as RFC 5849 in April 2010. Since then, OAuth has undergone one major update, which was in October 2012. In this update, OAuth was published as RFC 6749; leading to the creation of OAuth 2.0.
The purpose of OAuth is to provide the Client with secure delegated access to server resources on behalf of the resource owner. OAuth has four key concepts, which are:
• Client: An application that makes protected resource requests on behalf of a resource owner.
• Resource server: Hosts the protected resources.
• Authorization server: Issues access tokens to the Client.
• Resource owner: Grants access to the protected resource.
One major difference between these standards is that OpenID Connect and OAuth are more like specifications while SAML seems like a ready-to-work tool. OAuth specification, however, appears to be lower on details compared to OpenID Connect specification.
OpenID Connect Authentication Standard
OpenID Connect is a layer on top of OAuth, which is an authentication protocol that allows users to log into websites and apps using their existing credentials from another site. OpenID Connect adds an extra layer of security by encrypting the connection between the user and the site or app. This makes it more difficult for hackers to intercept the login information and gain access to the user’s account. In addition, OpenID Connect also allows users to log in without having to remember a separate username and password for each site or app. This makes it more convenient for users to use their existing credentials from another site to log in. Overall, OpenID Connect provides a high level of security, making it a great choice for website and app developers looking to protect their users’ information.
Openid.net describes OpenID Connect as a simple layer based on the OAuth 2.0 protocol. This standard lets Clients verify the End-User’s identity based on the authentication that Authorization Server carries out. It also obtains basic profile information about the End-User. And it does that in a REST-like, interoperable manner.
Created in 2014, OpenID Connect is the youngest protocol of the three we have today. It was created to make complicated things doable and ensure that simple ones remain simple. OpenID Connect (OIDC) works by adding the OpenID scope value to the OAuth Authorization Request. Ideally, there are two paramount building blocks of the OpenID flow.
• Rps (Relying Parties): OAuth 2.0 Clients that use OIDC
• Ops (OpenID Providers): OAuth 2.0 Authentication Servers that implement OIDC
The difference between OIDC and other standards is mainly seen in the purpose of these three standards. That being said, SAML is for exchanging both authorization and authentication information between interested parties. OAuth, on the other hand, only focuses on authorization, whereas, OpenID Connect adds a layer of authentication over existing OAuth specifications. By so doing, OpenID Connect effectively provides both authorization and authentication possibilities.
SAML Authorization and Authentication Standards
Security Assertion Markup Language, or simply SAML, is an open standard where authorization and authentication information is exchanged between a service provider and an identity provider. OASIS Security Services Technical Committee is behind the creation of this standard. The committee created it in 2002; making it the oldest protocol there is today.
Since its creation, SAML has undergone two updates. The first update was in 2003, and it was a minor one. It saw SAML updated to version 1.1. The second update was in 2005 when SAML was updated to version 2.0. That being said, SAML has four key concepts that underwent major changes between versions 1.0 and 2.0.
These concepts include:
• Protocols: Show how some elements of SAML are packaged within the SAML requests and response elements.
• Profiles: Comprehensively describe how protocols, bindings, and assertions work together to support a defined use case.
• Bindings: A SAML protocol that maps onto standard messaging formats.
• Security Assertions: Facts that service providers use to come up with access-control decisions.
According to most software engineers, SAML appears to be the most complex standard to use and implement. That is because it uses an old-school approach for configuration, where you rely on XML files for writing. This is different from OAuth and OpenID where JWT and HTTP are used.
Verdict: What is the Best Standard?
OAuth is a great option for someone relying heavily on the authorization. OpenID Connect, on the other hand, is suitable for authentication heavy integrations. Finally, SAML comes in handy when you are already using it, as mixing things might lead to more confusion.