Some notes on authentication
2024-12-04
I recently needed to work on authentication, and while doing that got some questions, especially on terminology. I want to write those things down here.
Note that these don't really follow a recurring theme besides authentication. It's just some things I stumbled upon and wanted to answer for myself :-)
Access Control vs. Authorization
I was wondering what the difference between the two is.
Okta actually wrote an article on this question. Authorization is about the policy, and how it is defined. It will say, for example, that user A is allowed to access X, but is not allowed to access Y.
Access control makes sure that this policy is followed. It looks out that when A requests X, it gets access to it, but when the user requests Y, it doesn't get access to it.
OAuth vs. OIDC
OAuth is about authorization. Identity is still missing here. Hence we get OIDC.
While researching OAuth/OIDC, I found this amazing article on it by Stack Auth. It is, I think, the first article that made me really grasp why OAuth works the way it does!
OIDC vs. SAML
OneLogin wrote an article on this here.
What are OIDC and SAML?
An IdP maintains a database of user identity information. A service provider (SP) relies on this information to authenticate a user, sometimes only once for multiple applications (single sign-on). Both OIDC and SAML are standards that define just how this information is to flow between these two parties. The end goal for both is the same: user authentication. But the underlying methodology to achieve the goal is different.
So when should I use the one over the other? Again from the same article:
- Want to quickly set up an identity platform, choose OIDC over SAML, without thinking twice. Implementing a basic OIDC solution is much simpler, compared to SAML, which would require heavy-weight XML processing.
- Have an API-centered architecture, with a lot of mobile and single-page applications, use OIDC. It will guarantee a much more efficient and interoperable experience.
- Want to implement a mature standard, something that has been around for a long time, then choose SAML. It’s feature-rich, gets the job done, and has been a staple of enterprise networks for over a decade.
It seems to me that OIDC is simpler and thus preferred. If there are no outside pressures to use SAML, one should probably use OIDC over SAML. (But don't take my word on that!)
Single-tenant vs multi-tenant authentication
It seems to me that this is Microsoft-specific, though I'm not sure. Maybe it is something general.
Anyways, I read about this in this Microsoft training here:
You can decide if you want to allow users to sign in only if they belong to your organization. This architecture is known as a single-tenant application. Or, you can allow users to sign in by using any work or school account, which is known as a multitenant application.