OAuth2 and OpenID Connect versus WS and SAML
I have mentioned how part of our replatforming project that saw us move to Azure was moving the security protocol from WS-Federation/WS-Trust to OAuth2 and OpenID Connect. I kept running into rumblings on the internet about how even though it was widely adopted, OAuth2/OpenID Connect were somehow less secure. Comparing a secure implementation of both side by side, I did not really see how this could be. Since our industry is not short on oversimplification and grand proclamations, I decided to pose this question to experts in the field.
I posted this question on the Information Security Stack Exchange site. The quality of the responses I got blew me away- carefully thought through and well articulated, to say the least.
I liked this answer by Karl McGuinness the best and thought it worthwhile to socialize it further through this blog post.
The key takeaway, though, is:
- All these protocols are secure, but an implementation may be insecure if not properly done. In this spirit, the simpler the protocol, the better.
- All these protocols use cryptographically signed tokens that support optional encryption.
- There are some problems with OAuth2 by itself which are addressed by OpenID Connect.
I hope this can serve as a good resource to refute any other oversimplified statement to the contrary.