130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Cyber Security
    • Cyber Security Centre (CSC)
      • Why we need a CSC
      • CSC Team Structure: Roles, Functions, and Tools
        • Key Function & Role
        • Tools & Platforms
        • People
        • Outsource Strategy
      • HRMC Executive Paper
  • Detection and Response
    • Playbook: Threat Prioritization & Automated Response Strategies
      • Scenario: Detecting and Mitigating a Ransomware Attack
      • Scenario: DC Sync Attack Detected and Mitigated
      • Scenario: Pass-the-Hash (PtH) Attack Detected and Contained
      • Scenario: Phishing Campaign with Malware / Credential Theft Detected and Mitigated
  • Application Architecture
    • Comparison of MVC , N-tier and Microservice Architecture
  • Application Security
    • OAuth, SAML, and OpenID Connect: Key Differences and Use Cases
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • Introduction
  • Overview of OAuth 2.0, SAML, and OpenID Connect
  • How They Work
  • Comparison Summary
  • How to Select the Right Protocol

Was this helpful?

  1. Application Security

OAuth, SAML, and OpenID Connect: Key Differences and Use Cases

April 2025

Introduction

OAuth 2.0, SAML, and OpenID Connect are protocols designed to ensure secure authentication and authorization in web and mobile applications. While OAuth 2.0 focuses on granting secure access to resources, SAML facilitates Single Sign-On (SSO) in enterprise environments, and OpenID Connect builds on OAuth 2.0 to provide identity authentication alongside authorization.

Overview of OAuth 2.0, SAML, and OpenID Connect

  1. OAuth 2.0:

    • Purpose: Enables apps to securely access user resources without exposing credentials.

    • Focus: Authorization, using tokens to grant limited resource access.

    • Typical Use Case: Social media logins, e.g., "Log in with Google" or "Log in with Facebook."

  2. SAML (Security Assertion Markup Language):

    • Purpose: Provides authentication and SSO for users accessing multiple applications.

    • Focus: Centralized authentication with XML-based data exchanges.

    • Typical Use Case: Corporate tools like Salesforce, where employees log in once to access multiple systems.

  3. OpenID Connect (OIDC):

    • Purpose: Extends OAuth 2.0 to include user authentication and identity verification.

    • Focus: Combines authentication with authorization using lightweight JSON Web Tokens (JWT).

    • Typical Use Case: Modern apps, such as a gaming platform that verifies user identity through third-party accounts.

How They Work

OAuth 2.0:

  • Flow:

    1. User initiates a request (e.g., logging into Spotify using Google).

    2. App redirects to an Authorization Server for permission.

    3. Upon successful authentication, an access token is issued.

    4. The app uses the token to access resources securely.

  • Key Features:

    • Focuses on authorization using tokens (Access/Refresh Tokens).

SAML:

  • Flow:

    1. User attempts to log into a Service Provider (SP).

    2. SP redirects the user to an Identity Provider (IdP).

    3. IdP authenticates the user and sends back a SAML Assertion (XML document).

    4. SP validates the assertion and grants access.

  • Key Features:

    • Enables SSO across multiple enterprise tools.

OpenID Connect (OIDC):

  • Flow:

    1. User logs in via an Identity Provider (e.g., Google).

    2. IdP authenticates the user and issues:

      • ID Token: Verifies the user’s identity.

      • Access Token: For resource authorization.

    3. App uses the tokens to authenticate the user and access resources.

  • Key Features:

    • Lightweight and modern, built on OAuth 2.0.

Comparison Summary

Feature

OAuth 2.0

SAML

OpenID Connect

Purpose

Authorization

Authentication (SSO)

Authentication & Authorization

Focus

Resource access

Single login for enterprise apps

Verify identity and access control

Message Format

JSON, Tokens (JWT)

XML-based

JSON, Tokens (JWT)

Use Cases

Social media logins, API access

Enterprise systems, corporate tools

Modern apps requiring authentication

Real Case Example

Spotify integrating Facebook login

Employees accessing Salesforce via Okta

A gaming platform enabling secure logins with Xbox credentials

How to Select the Right Protocol

  1. Choose OAuth 2.0 if:

    • Your app needs to grant resource access securely without exposing credentials.

    • Focus is on authorization, not authentication.

    • Example: A fitness app accessing user data from Fitbit.

  2. Choose SAML if:

    • You are working in an enterprise setting that requires SSO across internal tools.

    • XML-based systems are standard.

    • Example: Employees logging into Salesforce and Slack through a corporate IdP like Okta.

  3. Choose OpenID Connect if:

    • Your app requires both authentication and authorization.

    • You’re building modern apps with lightweight JSON support.

    • Example: A gaming platform enabling secure logins with Xbox credentials.

PreviousComparison of MVC , N-tier and Microservice ArchitectureNextSecure Coding Principles

Last updated 21 days ago

Was this helpful?