Authentication and Authorization Frameworks: OpenID and SAML

Introduction

Picture the following situation. A person who wants to watch a movie buys a ticket for it. The movie ticket will allow entry to its holder, but it won't contain any information about the said holder except for the movie they're authorized to watch. So, anyone can use the ticket, even if they weren't the rightful owner, because there's no way of verifying the holder's identity. In this example, we assume OAuth 2.0 functions like a movie ticket; it only provides authorization and needs further security methods to implement sufficient authentication.

To tackle this vulnerability, this lesson details the following authentication and authorization frameworks:

• OpenID Connect (OIDC):  It's an authentication framework that typically works alongside OAuth 2.0. It’s an open standard and enables its users to log in to multiple applications or websites with a singular set of credentials, removing the need to keep different information for various sites. It allows user authentication without needing applications or websites to store user data.

• Security Assertion Markup Language (SAML): It’s also an open standard and is typically deployed in enterprises. It's both an authentication and authorization standard that allows users to access numerous applications using a singular set of credentials. Through SAML, entities can both authenticate and authorize information access from different domains in a secure way.

Let's begin by expanding on OpenID Connect.

Note: OpenID Connect largely performs the same operations as OpenID, but does so in a more API-friendly manner. Therefore, in our context, we'll focus on OpenID Connect.

OpenID Connect (OIDC)