OAuth2 and OpenID Connect versus WS and SAML

I have mentioned how part of our replatforming project that saw us move to Azure was moving the security protocol from WS-Federation/WS-Trust to OAuth2 and OpenID Connect. I kept running into rumblings on the internet about how even though it was widely adopted, OAuth2/OpenID Connect were somehow less secure. Comparing a secure implementation of both side by side, I did not really see how this could be. Since our industry is not short on oversimplification and grand proclamations, I decided to pose this question to experts in the field.

I posted this question on the Information Security Stack Exchange site. The quality of the responses I got blew me away- carefully thought through and well articulated, to say the least.

I liked this answer by Karl McGuinness the best and thought it worthwhile to socialize it further through this blog post.

The key takeaway, though, is:

I hope this can serve as a good resource to refute any other oversimplified statement to the contrary.

Tags: wsfed wstrust saml oauth2 openidconnect security
Previous: Moving to Azure PaaS and Service Fabric- Part 2
Next: An Azure Service Fabric Restarter in F#


comments powered by Disqus