This document compares and contrasts three token-based authentication and authorization protocols: SAML, OAuth access tokens, and OpenID Connect ID tokens. SAML uses XML assertions for identity and authorization. Access tokens in OAuth are opaque bearer strings, while ID tokens in OpenID Connect are JSON Web Tokens (JWTs) containing user information. SAML is for web services and uses WS-Security, while access tokens and ID tokens can be used by web and mobile apps via HTTP. Both SAML and ID tokens can be used to represent user identities, while access tokens and SAML assertions can authorize access to protected resources. Security considerations for each include confidentiality, integrity, and replay attacks.

1. IBM Confidential
Token OAuth/OIDC/JWT/SAML
shiufun@us.ibm.com
STSM, Security, APIc/GW, Cloud Division

2. SAML
2 Source : http://www.ibm.com/developerworks/library/ws-SAMLWAS/

3. OIDC
3 Source : http://openid.net/connect

4. 4
• Delegated
authoriza/on
• Permission : Allow/
Denied
• IETF RFC 6749
• access_token (RFC6750)
• Bearer *
• Vendor specified
• Introspec/on : IETF
RFC 7662
• Authen/ca/on
• Who are you ?
• OpenID.net
• Extend OAuth 2.0 with
user informa/on
• id_token
• JSON Web Token (JWT)
• Signed with JWS
• Encrypted with JWE
• Signed & Encrypted
Protocol : SAML vs OAuth 2.0 vs OpenID
• Federated Iden/ty
• Who are you ?
• Permission : Allow/
Denied
• OASIS/WS-*
• SAML Asser/on
• 1.0, 1.1, 2.0
• XML based
• Signed/Encrypted

5. [Token] SAML vs access_token (Bearer) vs id_token (JWT)
5
• Identity assertion token
• SAML or id_token (JWT)
• e.g. ‘WickedPrinterApp’ requires Alice to authenticate successfully
before presenting its service
• Authorization token
• SAML or access_token (bearer)
• e.g. ‘WickedPrinterApp’ can print Alice’s photo if access_token is valid
SAML :
<saml:Asser2on xmlns:…>
<saml:Issuer>…</saml:Issuer>
<saml:Subject>...</saml:Subject>
<saml:Condi2on>...</saml:Condi2on>
.....
</saml:Asser2on>
access_token :
HTTP Header :
Authoriza2on: Bearer xyzjj….........
Ø Apply introspec2on (RFC 7662)
against the token :
{ "ac2ve":true, "token_type":"bearer",
"client_id":”spoon-applica2on",
"username":”shiufun", "sub":”shiufun",
"exp":1504323675, …}
id_token :
HTTP Header :
Authoriza2on: Bearer xxx.yyy.zzzz
unpacked into
{“alg”:”HS256”}.
{“iss”:”xx”,”sub”:”yy”…}.
zzzz

6. [Token] SAML vs access_token (Bearer) vs id_token (JWT)
SAML access_token id_token
XML based (OASIS) Opaque (RFC 6750)
* Binary vs defined
format
JSON Web Token (RFC 7519)
HTTP(s), Payload HTTP(s), Payload HTTP(s), Payload
WS-Security specification Introspection (RFC 7662) JOSE (JWS/JWE)
Web service/WebApp WebApp/Mobile WebApp/Mobile
* SAML for OAuth –
authenticate resource owner
or application
* JWT for OAuth –
authentication resource owner
or client
6

7. SAML
• Specifica2on is well established
• Confiden2ality/Integrity
• How to protect it during transit
• Replay ?
• Condi2on ?
• Authen2ca2on/Abribute/Authoriza2on Statement
hbps://www.oasis-open.org/commibees/download.php/8733/sstc-saml-sec-consider-2.0-drad-05-diff.pdf
7

8. OAuth 2.0/OIDC
• Redirect_uri
• Client/applica2on
• How secure is its creden2al
• How to securely store the permission
• *well-behaved*
• Applica2on authen2city
• Session management of the end user
• How to authen2cate the user
• Web applica2on, API applica2on
• follow the best prac2ce to prevent CSRF, XSS, Session
8
https://tools.ietf.org/html/rfc6819

9. Transit/local storage
• TLS/SSL
• Who is token being kept securely once it is issued
• Token/Session management
• Ttl == infinity, what could go wrong (?)
9