Authentication & Authorization

Baby Manisha Sunkara
3 min readMar 5, 2019

Protocols used in authentication / authorization : OpenID, OAuth2, SAML

Authentication is about validating your credentials such as Username and password to verify your identity. The system then checks whether you are what you say you are using your credentials.

Authorization occurs after your identity is successfully authenticated by the system, it verifies your rights to grant you access to resources only after determining your ability to access the system and up to what extent. In other words.

OpenID

OpenID is an open standard for authentication, promoted by the non-profit OpenID Foundation. As of March 2016, there are over a billion OpenID-enabled accounts on the internet, and organizations such as Google, WordPress, Yahoo, and PayPal use OpenId to authenticate users.

Example: Siva, who wants to log in to his Instagram account (the relying party). He navigates to the login screen, where she is offered a “Sign in with Facebook” option. He clicks that, and Instagram initiates an association with Facebook, requests and receives an association handle. Instagram then forwards Siva to the Facebook login page. Where he enters his credentials, and Facebook validates them and then redirected back to his Instagram, along with a token stating that Facebook believes he is who he claims to be.

OAuth2

OAuth2 is an open standard for authorization. This does not mean that we do not use OAuth2 for authentication, however, as OpenID is a protocol on top of OAuth2 which serves for authentication. OAuth2 provides secure delegated access, meaning that an application, called a client, can take actions or access resources on a resource server on the behalf of a user, without the user sharing their credentials with the application. OAuth2 does this by allowing tokens to be issued by an identity provider to these third-party applications, with the approval of the user. The client then uses the token to access the resource server on behalf of the user.

Example: Siva signs up for a new account at Instagram and is offered the option to see which of his friends already use Instagram so he can follow them. There’s a button labeled “import contacts from Facebook.” Siva clicks that button, and he is redirected to Facebook to log in. Siva successfully logs in and is asked if he wants to share his Facebook friend list with Instagram. If he clicks yes, and is forwarded back to Instagram along with a token. Instagram now has permission (with the token) to access Siva’s friend list, without him sharing his credentials directly with Instagram. This eliminates the risk of Instagram logging into Facebook on Siva’s behalf and doing the unnecessary things like posting status updates, changing his credentials, etc.

SAML (Security Assertion Markup Language)

It’s an XML-based markup language and also an open security protocol standard that provides both authentication and authorization. SAML defines a principal, which is the end user trying to access a resource. There is a service provider, which is the web server that the principal is trying to access. And there is an identity provider, which is the server that holds the principal’s identities and credentials. The most important feature of this protocol is Web Browser Single Sign-On (SSO). SSO allows users to login once and never be prompted for login/password later.

SAML vs. OAuth: What’s the difference?

OAuth is a somewhat newer standard than SAML, developed jointly by Google and Twitter beginning in 2006. It was developed in part to compensate for SAML’s deficiencies on mobile platforms and is based on JSON rather than XML.

Other than SAML’s less-than-stellar mobile support, what’s the difference between the two? As we’ve seen, the SAML standard defines how providers can offer both authentication and authorization services. OAuth, on the other hand, only deals with authorization. OpenID Connect is an even newer standard, developed in 2014, that provides authentication services, and is layered on top of OAuth.

For more information please visit here

That’s all for this post, Keep Visiting & Reading, Thank you!

Sponsor me for a book 📖

--

--

Baby Manisha Sunkara

I am a front-end developer located in AP, India. I have 9+ yrs of professional experience in developing small to large-scale websites and web-applications.