3 minutes
Authentication vs Authorization
OAuth, OIDC, and SAML
Authentication (AuthN) proves who someone is and Authorization (AuthZ) allows that someone to access certain resources.
Basic authentication is what we’re all used to with something like a username and password. We can prove who we are by inputting the correct credentials. Another common form of authentication is biometrics. When we unlock our phones, we can use a fingerprint scan or an eye scan to prove our identities to unlock our phones.
There are several authentication factors that are widely used and some are:
- Something a person knows
- Something a person has
- Something a person is
- Somewhere a person is
If you can’t prove who you are, then then you won’t be allowed to access the resource as authorization should always follow after authentication. Authorization grants/denies permissions to resources.
What is OAuth 2.0?
OAuth 2.0 (Open Authoriation) is the standard to allow one application access to another application without sharing your credentials. It grants authorization for one application to access data or features in another application for you. It uses Access Tokens to hold information about your user and permissions.
What is OIDC?
OIDC (OpenID Connect) is an authentication protocol based on OAuth 2.0 and enables users to sign into one application and receive access to another. It is used to provide SSO for applications. For example, when you need to log into one website and it gives you the option to log in using your Google account, this is using OIDC authentication. OIDC uses ID Tokens, usually in the form of a JSON Web Token (JWT), which include information such as email address and name.
According to Microsoft, “OIDC was built on top of OAuth 2.0 to add authentication. The OAuth 2.0 protocol was developed first and then OIDC was added to enhance its capabilities. The difference between the two is that OAuth 2.0 provides authorization, while OIDC provides authentication. OAuth 2.0 is what allows users to gain access to a relying party, using their account with an OpenID provider, and OIDC is what allows the OpenID provider to pass along a user profile to the relying party. OIDC also allows organizations to offer their users single sign-on.”
Okta has an illustrated guide that goes over how OAuth and OIDC work together here.
What is SAML?
SAML (Security Assertion Markup Language) is an XML-based authentication protocol used for transferring identity data between an idP (identity provider) and SP (service provider). It enables SSO for applications similar to OIDC.
An idP provides the user’s identity and authorization to the SP. For example, Okta would be an idP and an SP could be something like Slack. You would log into Okta and it would authenticate you into Slack using SAML.
Differences between SAML and OIDC
Both SAML and OIDC are identity protocols that allow applications to communicate with another for authentication. According to onelogin, their login flows are basically the same with 3 primary differences:
| Differences | SAML | OIDC |
|---|---|---|
| Data format | XML | JSON |
| Data sent | SAML Assertion | Claims |
| Application name | Service Provider | Relying Party |
OIDC seems to be more easily implemented and is better for mobile applications as it uses JSON instead of XML for ID tokens.