Search code examples
securityauthenticationoauthsingle-sign-onsaml

OAuth and SSO capability

I have been reading about OAuth, and found that it roughly performs the following

- client sends request token during redirect to server
- Server displays authorization screen to resource owner
- Resource owner provides uid and pw (not passed to client)
- Server sends access token back to client
- clients then users the Access token to gain access to a 
  resource

Based on my reding it does not appear that OAuth does not enable SSO or Federation, but on some Blogs it implies it does perform SSO

Is this correct or incorrect. Can it perform SSO without the help of other protocols?

Thanks

Solution

  • Yes it supports SSO with this flow.

    We have 2 applications A and B.

    • The user want to access application A
    • He is redirected to the identity profider (idp)
    • He logs in with his credentials.
    • The idp issues an OAUTH token and a cookie
    • The client now adds the oauth token to the request for app A and is authorized.
    • When the client wants to access application B he is again redirected to the idp
    • In this call to the idp the coockie that the idp had returned in the flow with app A is added.
    • Because of this the idp immediately returns a token for app B, the client does not have to log in again.
    • The client can now access app B with the newly created token.

    Hope this example flow makes it more clear.