Adopting web applications to work with authentication with OpenID Connect

Adopting web applications to work with authentication with OpenID Connect

Web-based collaboration tools and other applications often requires the user to authenticate in order to access and produce content.

Both SAML and OpenID Connect is standards that allows applications to delegate the authentication of the end-user to a third party.

Authentication with SAML 2.0

SAML 2.0 is a complex protocol and very few applications has built-in support for SAML. SAML 2.0 Service Provider software is typically implemented as separate standalone components that runs on the same host as the application.

Applications typically supports SAML through an authentication plugin that is configured to make use of a specific SAML 2.0 SP software running on the same host. The plugin communicates with the software through cookies, APIs or a shared storage.

The Wordpress SimpleSAMLphp authentication plugins is an example of such a setup.

Authentication with OAuth 2.0

OAuth 2.0 is in comparison an extremely simple protocol with minimal needs for storing states. As a consequence OAuth 2.0 support is often built-in to the authentication plugin, instead of relying on standalone software.

OAuth 2.0 is widely used for authentication on SaaS providers. The simplicity for clients as well as the flexible support for using OAuth tokens for SaaS APIs may be part of the reason for the widespread use of OAuth 2.0.

OAuth 2.0 is an authorization protocol and have not standardized how to tell the client who the user is. Still SaaS provides has solved this adding a custom userinfo endpoint that can be accessed with the OAuth token to return a JSON object with data about the authenticated used. The details of how to use the userinfo endpoint as well the syntax and semantics of the content differs among the SaaS providers.

Typically authentication plugins to applications has a separate plugin for each of the SaaS provides. All these plugins is more or less the same with some variations on how to use the userinfo endpoint, and in addition has the SaaS endpoints hardcoded.

Authentication with OpenID Connect

OpenID Connect is an identity layer on top of OAuth 2.0 standardizing the missing parts like the userinfo endpoint in order to authentication for applications.

OpenID Connect relies on the same kind of modern and simple technical elements, such as tokens, JSON and simple APIs in contrast to XML and XML signatures. But unlike OAuth 2.0, OpenID Connect has evolved to a pretty extensive standard.

One can expect applications to interact with OpenID Connect both using a standalone software components and with the OpenID connect embedded in the authentication plugin through the use of libraries.

Applications that would like to use more of OpenID Connect than the most basic profile, such as discovery, may need a more complex setup. More advanced features of OpenID Connect may require persistent storage, something that the OpenID Connect library probably do not implement themselves, but instead allow the application developer to write an adoption layer that re-use an existing persistent storage.