To clarify the difference, we need to first define what authentication and authorization is.
Authentication is the process of verifying the identity of a user or device,
while authorization is the process of determining what a user or device is allowed to do, after his identity is established.
TL;DR:
OAuth is for allowing access to someone else's resources
OIDC is for verifying who you are and allowing access to someone else's resources
SAML is for gaining access to different resources from different places with one card.
- OAuth (Open Authorization)
OAuth (2.0) is an open standard for providing and implementing authorization. It provides secure delegated access. That means, an application can act as a user and access endpoints or take action on servers as this user, but without requiring the user to log in or share his credentials. This access is temporary and is used, for example, to access a users contact list in Facebook.
- OIDC (OpenID Connect)
OpenID Connect is an open standard / open source solution for providing and implementing an authentication process. Most of the big tech companies like Google, Microsoft or GitHub support this standard. It allows users to choose the third-party OpenID provider they want to use to login to any website that accepts the OpenID standard (which could be also yours). If you previously used your Google Account to log in to Spotify or any other platform, you've seen OIDC in action. OpenID is useful for app and website developers who want to authenticate users, but are not willing to take the risk of storing user records on their own due to security aspects. You can see it as SSO for consumer applications.
- SAML (Security Assertion Markup Language)
SAML is an open standard for authentication and authorization and is used mostly in enterprises. It's a framework for single-sign on (SSO), what means that if you successfully logged in to an application of your organization, you can also access other apps without the need to re-enter your credentials. SAML uses XML to exchange authentication and authorization messages between the specific identity providers to verify user identity and permissions, if access to an application is granted or denied. It can be seen as SSO for enterprise applications.
No comments:
Post a Comment