Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
This blog post continues the SAML2 vs JWT series. In the last post, we
discussed JSON Web Tokens. Now, we are going to move on to OAuth2
and OpenID Connect, which provides some structure and protocol
around the use of JWT. These protocols are used, along with JWT, to
build the JWT use cases this series covers. We will start with OAuth2.
We got a glimpse of OAuth2 calls in the Apigee and Azure Active
Directory Integration — A JWT Story post. There we saw examples of
the Authorization Code Grant and the Resource Owner Password
Credentials Grant in practice. This post will look at those grants and the
others in more detail.
https://medium.com/@robert.broeckelmann/saml2-vs-jwt-understanding-oauth2-4abde9e7ec8b 1/21
2/13/2019 SAML2 vs JWT: Understanding OAuth2 – Robert Broeckelmann – Medium
actor is). This is speci cally geared towards allowing a resource owner
(user, most likely) to grant third-party applications and websites access
to resources (which could be just about anything). Think of use cases
such as a mobile app that can post pictures to Facebook where you
authorize the app access to Facebook once and, from that point onward
you can simply post pictures from the app to Facebook. As an
authorization protocol, the details of how authentications works are
largely unde ned; in fact, in some cases the details of how the
credentials are passed from the Client or User to Identity Provider
aren’t speci cally de ned (that leaves a lot of room for things to get a
little weird or, at least, custom). The OAuth2 spec de nes four actors:
Resource Owner (User, most likely), Client, Authorization Server, and
Resource Server (API, website, etc). Obviously the User, Client and the
Resource Server should trust the Authorization Server.
Resource Server: contains the Resource that the Client wants to access
(again, an API, web server, etc).
https://medium.com/@robert.broeckelmann/saml2-vs-jwt-understanding-oauth2-4abde9e7ec8b 2/21
2/13/2019 SAML2 vs JWT: Understanding OAuth2 – Robert Broeckelmann – Medium
https://medium.com/@robert.broeckelmann/saml2-vs-jwt-understanding-oauth2-4abde9e7ec8b 3/21
2/13/2019 SAML2 vs JWT: Understanding OAuth2 – Robert Broeckelmann – Medium
GET /oauth2/authorize?
response_type=code&
client_id=s6BhdRkqt3&
state=xyz&
redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
HTTP/1.1
Host: idp.example.com
https://medium.com/@robert.broeckelmann/saml2-vs-jwt-understanding-oauth2-4abde9e7ec8b 4/21
2/13/2019 SAML2 vs JWT: Understanding OAuth2 – Robert Broeckelmann – Medium
The Client, will use the authorization code in the following call to the
token endpoint (once more, example from the spec)
The response from the token endpoint will look something like
(example from the spec):
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"Jkdkdkld984dpslcmvjuf...",
"token_type":"bearer",
https://medium.com/@robert.broeckelmann/saml2-vs-jwt-understanding-oauth2-4abde9e7ec8b 5/21
2/13/2019 SAML2 vs JWT: Understanding OAuth2 – Robert Broeckelmann – Medium
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
}
https://medium.com/@robert.broeckelmann/saml2-vs-jwt-understanding-oauth2-4abde9e7ec8b 6/21
2/13/2019 SAML2 vs JWT: Understanding OAuth2 – Robert Broeckelmann – Medium
Implicit Grant (Section 4.2 of the Spec): This grant is very similar to
the Authorization Code Grant except that instead of an Authorization
Code being returned to the Client, the access token is returned directly
to the Client following the end-user authentication (and authorization
to the Resource). This grant exists for scenarios where the Client
cannot keep its credentials secret such as with a SPA Web Application
or Mobile app. There is an overlap in the supported scenarios between
this grant and the Authorization Code Grant — we will look more at
that below. This is also an interactive login.
In steps (D) — (F) things get a bit funky to obtain a web page that
contains a script (probably Javascript) that can be used to parse out the
https://medium.com/@robert.broeckelmann/saml2-vs-jwt-understanding-oauth2-4abde9e7ec8b 7/21
2/13/2019 SAML2 vs JWT: Understanding OAuth2 – Robert Broeckelmann – Medium
access token. In all likelihood, this script will already be loaded in the
user agent that is running the SPA application or running on behalf of
the mobile application. Refresh tokens are not used with this Grant. We
have this diagram adapted rom the OAuth2 spec:
The call the Client makes to the authorization endpoint will look
something like (example from the spec):
GET /oauth2/authorize?
response_type=token&client_id=s6BhdRkqt3&state=xyz
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
HTTP/1.1
Host: idp.example.com
This will initially result in a redirect to some type of login work ow just
like with the Authorization Code Grant. Upon successful completion of
this authentication step, the response will look something like
(example from the spec):
https://medium.com/@robert.broeckelmann/saml2-vs-jwt-understanding-oauth2-4abde9e7ec8b 8/21
2/13/2019 SAML2 vs JWT: Understanding OAuth2 – Robert Broeckelmann – Medium
You’ll notice that the access_token and other details are passed to the
Client in a URI Fragment in an HTTP redirect— not as part of a
response message body or query parameters.
The following sequence diagram describes the Implicit Grant steps that
were described above.
https://medium.com/@robert.broeckelmann/saml2-vs-jwt-understanding-oauth2-4abde9e7ec8b 9/21
2/13/2019 SAML2 vs JWT: Understanding OAuth2 – Robert Broeckelmann – Medium
https://medium.com/@robert.broeckelmann/saml2-vs-jwt-understanding-oauth2-4abde9e7ec8b 10/21
2/13/2019 SAML2 vs JWT: Understanding OAuth2 – Robert Broeckelmann – Medium
The response will look more-or-less like the response from the Token
Endpoint shown in the Authorization Code Grant Section above.
Client Credentials Grant (Section 4.4 of the Spec): This Grant does
not authenticate an end-user, it just authenticates the Client; similar to
the Resource Owner Password Grant, it is not an interactive login. It
can only be used by a con dential Client. This is what is known as two-
legged OAuth. If validation of the client credentials is successful, then
an access token is returned that represents the Client. This is a simple,
yet e ective, way of managing the authentication step when the
https://medium.com/@robert.broeckelmann/saml2-vs-jwt-understanding-oauth2-4abde9e7ec8b 11/21
2/13/2019 SAML2 vs JWT: Understanding OAuth2 – Robert Broeckelmann – Medium
The request for a client credentials grant call to the token endpoint will
look like (example from the spec):
The response will also look like the response from the Authorization
Code Grant above, but in this case the access_token describes the Client
(an application) rather than the end user.
https://medium.com/@robert.broeckelmann/saml2-vs-jwt-understanding-oauth2-4abde9e7ec8b 12/21
2/13/2019 SAML2 vs JWT: Understanding OAuth2 – Robert Broeckelmann – Medium
Refresh Tokens (Section 1.5 of the spec):The OAuth2 Core spec also
describes how to obtain a new access token as part of the same
authenticated session with the IdP using the refresh token when the
original has expired (for Authorization Grants that support Refresh
Tokens). The refresh token can be given to the token endpoint to obtain
the new access token (as described here).
https://medium.com/@robert.broeckelmann/saml2-vs-jwt-understanding-oauth2-4abde9e7ec8b 13/21
2/13/2019 SAML2 vs JWT: Understanding OAuth2 – Robert Broeckelmann – Medium
If you will recall from our earlier API Management and Perimeter
Security for COTS Applications, we had the system depicted in the next
diagram depicting an out-of-the-box mobile application and backend
API with a custom perimeter security layer added to meet the needs of
a large enterprise organization.
https://medium.com/@robert.broeckelmann/saml2-vs-jwt-understanding-oauth2-4abde9e7ec8b 14/21
2/13/2019 SAML2 vs JWT: Understanding OAuth2 – Robert Broeckelmann – Medium
If we add a little bit of technical detail to this same picture, we get the
following diagram. Notice the API Gateway box makes a WS-Trust call
to the Active Directory Federation Server box. The resulting SAML2
Bearer Token (with the audience set to the Azure AD value) is then
placed into an OAuth2 call to the Azure Active Directory endpoint that
looks more-or-less the same as the example call given above. Note, that
the Azure AD trusts the ADFS server in this scenario.
https://medium.com/@robert.broeckelmann/saml2-vs-jwt-understanding-oauth2-4abde9e7ec8b 15/21
2/13/2019 SAML2 vs JWT: Understanding OAuth2 – Robert Broeckelmann – Medium
https://medium.com/@robert.broeckelmann/saml2-vs-jwt-understanding-oauth2-4abde9e7ec8b 16/21
2/13/2019 SAML2 vs JWT: Understanding OAuth2 – Robert Broeckelmann – Medium
• how one party can act on behalf of another party or enabling one
party to delegate authority to another party
The request to the token endpoint would look similar to (example from
the spec):
&subject_token=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.eyJhdWQiO
iJ…
&subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-
type%3Ajwt
&actor_token=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.eyJhdWQiOiJ
odHRw
&actor_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-
type%3Ajwt
For comparison, this is what the OAuth2 On-Behalf-Of call for Azure
Active Directory looks like:
POST https://login.microsoftonline.com/common/oauth2/token
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: login.microsoftonline.com
Content-Length: 1000
https://medium.com/@robert.broeckelmann/saml2-vs-jwt-understanding-oauth2-4abde9e7ec8b 17/21
2/13/2019 SAML2 vs JWT: Understanding OAuth2 – Robert Broeckelmann – Medium
resource=https%3A%2F%2Fgraph.windows.net&
client_id=blahblah1234&
client_secret=blahblahblahsecret1234&
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-
bearer& assertion=AbEf[…Omitted for brevity…]KdP3&
requested_token_use=on_behalf_of&
scope=openid
It is important to call out that neither the OAuth2 spec family nor the
OpenID Connect spec family explicitly requires that the OAuth2 access
token be a JWT. Both specs are intentionally vague about what an
access_token should be (opaque token, bearer token, custom token,
etc). For the purposes of what I am trying to achieve in this series of
https://medium.com/@robert.broeckelmann/saml2-vs-jwt-understanding-oauth2-4abde9e7ec8b 18/21
2/13/2019 SAML2 vs JWT: Understanding OAuth2 – Robert Broeckelmann – Medium
https://medium.com/@robert.broeckelmann/saml2-vs-jwt-understanding-oauth2-4abde9e7ec8b 19/21