OAuth 2.0 JWT Single Sign-On (SSO)
Cybersecurity grew into a major problem during the pandemic as remote workers provided ample
new opportunities for attacks. As a result, companies are concerned more than ever about
IAM services like SSO, MFA, etc.
In this document, we will introduce you to one such SSO protocol OAuth 2.0, how it works, what
is it used for, how JWT comes into the picture, how can your organization benefit by using
OAuth 2.0 and, JWT as part of your IAM system.
What is OAuth 2.0?
OAuth 2.0 (Open Authorization) is an authorization framework that enables applications to obtain limited
access to user accounts on an HTTP service. It delegates user authentication to the service that hosts the
user account and authorizes third-party applications to access the user account.
OAuth 2.0 provides authorization flows for web and desktop applications, and mobile devices.
This page contains detailed information
about the OAuth 2.0 endpoints that miniOrange exposes on its authorization servers.
OpenID Connect (OIDC) is a thin identity layer on top of the OAuth 2.0 protocol for handling user authentication.
OAuth 2.0 is the standard protocol for authorization and OIDC the protocol for authentication of users. Together,
these two protocols enable you to access multiple apps and websites in a safe way, without having to log in several
times, through single sign-on (SSO).
To learn about the OpenID Connect protocol visit this page.
What is JWT?
JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact and self-contained way for securely
transmitting information between parties as a JSON object. This information can be verified and trusted because
it is digitally signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
Let’s understand how OAuth 2.0 works
In this scenario, you can achieve Single Sign On (SSO) into your web application using miniOrange IdP with OAuth 2.0 / OpenID Connect (OIDC) protocol.
Your web application will act as an OAuth 2.0 client.
OAuth 2.0 SSO Workflow
- An unknown user tries to access WordPress (your web application for instance).
- WordPress sends an authorization request to miniOrange (OAuth Provider / OpenID Connect Server).
- miniOrange OAuth server prompts the user to login and authorize the application.
- User is redirected to the login page where the user logs in.
- miniOrange authenticates the user and sends the authorization code to WordPress.
- WordPress sends its own client_id, client_secret with the authorization code that it has received from miniOrange.
- miniOrange authenticates the request and sends the Access token and JWT to WordPress.
- WordPress uses the access token to access resources on the resource server and validates the JWT (JSON Web Token).
- Using access token, id token(JWT), and user info miniOrange allows users to access protected features.
- Now, the user is authenticated and logged in. Thus, the user gets access to the resources without entering any credentials.
Validating the JWT
JWT (JSON Web Token, usually referred to as id_token) contains the user’s identity data. It is used
by the client application to get user information like the user’s name, email address, etc. On your Callback endpoint, you can read and parse the JWT token (User info). Structure of JSON Web Token (JWT):
JWT consists of three parts separated by dots (.)
(eg - xxxx.yyyyyyyyyyyy.zzzzzz), which are:
- Header: Contains signature algorithm name used to sign the payload.
- Payload: Contains user attributes like email id, name, etc.
- Signature: The signature value of the payload.
Once you have the user info JSON. You can initiate your login by passing the email/username information to your local authentication functionality.
JWT contains the following JSON attributes:
||HTTPS URI that indicates the issuer
||identifier of the user at the issuer
||client_id of the requesting client
||the nonce parameter value received from the client
||expiration time of this token
||The time when this token was issued
||time the authentication happened
||the first half of a hash of the access token
Why you should use OAuth 2.0?
miniOrange can help you enable SSO using OAuth 2.0 protocol for the following scenarios -
- If your organization is looking for an authentication authorization system but doesn’t have time and resources to implement it from scratch.
- If your organization wants to switch to a more secure authentication method i.e., token-based authentication.
- If your organization is trying to give a seamless login experience to the users, saving them the hassle of remembering multiple sets of usernames and passwords.
- If you want your users to authenticate themselves via more trustworthy applications like Google, Facebook, etc that ensure the authenticity of the user identities.
What can we do for you?
If you want to improve your business & reduce the burden of maintaining multiple credentials for an account
that uses multiple services or just want to get to know us better, we’d love to hear from you.