Web-based IAM Protocols

This post contains web-based Identity and Access Management (IAM) protocols.

OpenID allows to use an account from another service.

List of Web-based IAM Protocols

Web-based

  • SAML
  • OAuth
  • OpenID Connect (OIDC)

Many of these protocols are used in combination to achieve Single Sign-on (SSO) or federation.

SAML

Security Access Markup Language (SAML) is both an authentication protocol and XML-based data structure used for authentication. HTTP or HTTPS protocol.

You can read this post about SAML.

OAuth

OAuth is used for authorization.

It provides the ability to access resources from another service. It allows to identify machines between services.

OAuth versiĆ³n:

  • 1.0
  • 2.0

Tokens used in OAuth 2.0:

  • Access token
  • Update token

Proof Key for Code Exchange (PKCE) is an extension of the authorization code flow in Oauth 2.0 with the aim of limitin CSRF attacks and authorization code injection. It is standardized as RFC 7636.

OpenID Connect (OIDC)

OpenID Connect (OIDC) is used for user authentication.

OIDC is a RESTful, JSON-based authentication protocol that, when paired with OAuth, can provide identity verification and basic profile information.

OpenID Connect performs many of the same tasks as OpenID, but in a way that is API-friendly and usable by native and mobile applications.

It is maintained by the OpenID Foundation.

HTTP or HTTPS protocol. It is built over OAuth 2.0.

It works with ID token and Access token.

You might also be interested in…

External References

  • M. Chapple et al; “CISSP Study Guide Ninth Edition”, pp. 690-695; Wiley, 2021

Leave a Reply

Your email address will not be published. Required fields are marked *