OAuth2 and OpenID Connect versus WS and SAML

Published Feb 20, 2017.
For feedback or questions, please follow me on Twitter so you can DM me.

I have mentioned how part of our replatforming project that saw us move to Azure was moving the security protocol from WS-Federation/WS-Trust to OAuth2 and OpenID Connect. I kept running into rumblings on the internet about how even though it was widely adopted, OAuth2/OpenID Connect were somehow less secure. Comparing a secure implementation of both side by side, I did not really see how this could be. Since our industry is not short on oversimplification and grand proclamations, I decided to pose this question to experts in the field.

I posted this question on the Information Security Stack Exchange site. The quality of the responses I got blew me away- carefully thought through and well articulated, to say the least.

I liked this answer by Karl McGuinness the best and thought it worthwhile to socialize it further through this blog post.

The key takeaway, though, is:

  • All these protocols are secure, but an implementation may be insecure if not properly done. In this spirit, the simpler the protocol, the better.
  • All these protocols use cryptographically signed tokens that support optional encryption.
  • There are some problems with OAuth2 by itself which are addressed by OpenID Connect.

I hope this can serve as a good resource to refute any other oversimplified statement to the contrary.



Tagged as  wsfed wstrust saml oauth2 openidconnect security