Hello there!

Need Help? We are right here!

support
miniOrange Email Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com

OAuth 2.0 JWT Single Sign-On (SSO)


Cybersecurity grew into a major problem during the pandemic as remote workers provided ample new opportunities for attacks. As a result, companies are concerned more than ever about IAM services like SSO, MFA, etc.

In this document, we will introduce you to one such SSO protocol OAuth 2.0, how it works, what is it used for, how JWT comes into the picture, how can your organization benefit by using OAuth 2.0 and, JWT as part of your IAM system.

What is OAuth 2.0?

OAuth 2.0 (Open Authorization) is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service. It delegates user authentication to the service that hosts the user account and authorizes third-party applications to access the user account.

OAuth 2.0 provides authorization flows for web and desktop applications, and mobile devices.

This page contains detailed information about the OAuth 2.0 endpoints that miniOrange exposes on its authorization servers.

OpenID Connect (OIDC) is a thin identity layer on top of the OAuth 2.0 protocol for handling user authentication. OAuth 2.0 is the standard protocol for authorization and OIDC the protocol for authentication of users. Together, these two protocols enable you to access multiple apps and websites in a safe way, without having to log in several times, through single sign-on (SSO).

To learn about the OpenID Connect protocol visit this page.

What is JWT?

JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.


Let’s understand how OAuth 2.0 works


OAuth 2.0 JWT Single Sign-On SSO


In this scenario, you can achieve Single Sign On (SSO) into your web application using miniOrange IdP with OAuth 2.0 / OpenID Connect (OIDC) protocol. Your web application will act as an OAuth 2.0 client.

OAuth 2.0 SSO Workflow

  1. An unknown user tries to access WordPress (your web application for instance).
  2. WordPress sends an authorization request to miniOrange (OAuth Provider / OpenID Connect Server).
  3. miniOrange OAuth server prompts the user to login and authorize the application.
  4. User is redirected to the login page where the user logs in.
  5. miniOrange authenticates the user and sends the authorization code to WordPress.
  6. WordPress sends its own client_id, client_secret with the authorization code that it has received from miniOrange.
  7. miniOrange authenticates the request and sends the Access token and JWT to WordPress.
  8. WordPress uses the access token to access resources on the resource server and validates the JWT (JSON Web Token).
  9. Using access token, id token(JWT), and user info miniOrange allows users to access protected features.
  10. Now, the user is authenticated and logged in. Thus, the user gets access to the resources without entering any credentials.

Validating the JWT

JWT (JSON Web Token, usually referred to as id_token) contains the user’s identity data. It is used by the client application to get user information like the user’s name, email address, etc. On your Callback endpoint, you can read and parse the JWT token (User info). Structure of JSON Web Token (JWT):

JWT consists of three parts separated by dots (.)


(eg - xxxx.yyyyyyyyyyyy.zzzzzz), which are:

  • Header: Contains signature algorithm name used to sign the payload.
  • Payload: Contains user attributes like email id, name, etc.
  • Signature: The signature value of the payload.

Once you have the user info JSON. You can initiate your login by passing the email/username information to your local authentication functionality.


JWT contains the following JSON attributes:


Field Description
iss HTTPS URI that indicates the issuer
sub identifier of the user at the issuer
aud client_id of the requesting client
nonce the nonce parameter value received from the client
exp expiration time of this token
iat The time when this token was issued
auth_time time the authentication happened
at_hash the first half of a hash of the access token

Why you should use OAuth 2.0?

miniOrange can help you enable SSO using OAuth 2.0 protocol for the following scenarios -

  • If your organization is looking for an authentication authorization system but doesn’t have time and resources to implement it from scratch.
  • If your organization wants to switch to a more secure authentication method i.e., token-based authentication.
  • If your organization is trying to give a seamless login experience to the users, saving them the hassle of remembering multiple sets of usernames and passwords.
  • If you want your users to authenticate themselves via more trustworthy applications like Google, Facebook, etc that ensure the authenticity of the user identities.

What can we do for you?

If you want to improve your business & reduce the burden of maintaining multiple credentials for an account that uses multiple services or just want to get to know us better, we’d love to hear from you.


External References

Our Other Identity & Access Management Products