2015-12-23#Authorization has many different facets, and to describe OAuth solely as an ‘authorization standard’ begs confusion with the other authorization facets. For instance, the EXtensible Access Control Markup Language (XACML) is manifestly focused on authorization, but there is effectively no overlap at all between XACML and OAuth 2.0 (in fact they are nicely composable).
In the case of obtaining the Resource Owner’s consent before the token is issued to the client, the OAuth 2.0 Authorization Server effectively plays the role of the XACML Policy Information Point, in which the policy is defined and subsequently stored as an XACML policy. In this case, the XACML policy might record the fact that the Resource Owner consented to the client being able to read their attributes held at the Resource Server, but not make any changes. Once it receives the token from the AS, the client can then use that token on its API calls to the RS. At the resource server, an XACML policy enforcement point (PEP) would intercept the API call (let’s assume it was an HTTP POST that attempted to add some new attribute to the resource owner’s store) and call out to the XACML policy decision point (PDP) to obtain an access control decision. In this case, as the resource owner has previously specified that the client could read but not write, the POST request would be denied and the PDP would respond accordingly to the PEP.
To be clear, OAuth does not presume or require an underlying XACML infrastructure. The point here is only that OAuth and XAMCL, while both authorization-centric, are compatible.OAuth 2.0 and the Security Assertion Markup Language (SAML), including:
- SAML SSO can be used to authenticate the Resource Owner to the Authorization Server at the time of obtaining Authorization.
- As for other SSO protocols, SAML messages can carry OAuth 2.0 parameters (e.g. Authorization Codes, Access Tokens, Refresh Tokens, etc.), thereby enabling subsequent API access following SSO.
- A SAML Assertion can be traded for an OAuth 2.0 Access Token.
We show compare some of the various facets of Standards Based SSO.