Skip to main content

Modern Authentication Overview

Introduction to Modern Authentication

Modern authentication refers to identity and access management protocols that have superseded traditional username/password authentication. These protocols are designed to:

  • Support single sign-on (SSO) across multiple applications
  • Provide stronger security through token-based authentication
  • Separate authentication concerns from application logic
  • Enable federated identity management
  • Support multi-factor authentication (MFA)

The two most important modern authentication protocols are SAML and OpenID Connect (OIDC).

SAML (Security Assertion Markup Language)

SAML is an XML-based open standard for exchanging authentication and authorization data between parties, specifically between an identity provider (IdP) and a service provider (SP).

Key Concepts in SAML

  1. Identity Provider (IdP): The system that performs authentication and sends the user information to the service provider.
  2. Service Provider (SP): The application that the user wants to access, which relies on the IdP for authentication.
  3. Assertions: XML documents containing user information and authentication statements.
  4. Bindings: Define how SAML messages are transported (HTTP Redirect, HTTP POST, etc.).
  5. Profiles: Define how SAML assertions and protocols are combined to achieve specific use cases.

SAML Flow

  1. User attempts to access a protected resource at the SP.
  2. SP generates a SAML authentication request and redirects the user to the IdP.
  3. IdP authenticates the user (if not already authenticated).
  4. IdP generates a SAML assertion and sends it back to the SP via the user's browser.
  5. SP validates the assertion and grants access to the protected resource.

SAML Pros and Cons

Pros:

  • Mature protocol with widespread enterprise adoption
  • Strong security features
  • Comprehensive for enterprise scenarios

Cons:

  • Complex XML format
  • Heavier protocol with more overhead
  • Less suited for mobile applications
  • More difficult to implement than newer protocols

OpenID Connect (OIDC)

OpenID Connect is an authentication layer built on top of OAuth 2.0, a protocol for authorization. OIDC enables clients to verify the identity of end-users and obtain basic profile information.

Key Concepts in OIDC

  1. Identity Provider (IdP): Also called OpenID Provider (OP), authenticates users and provides claims about them.
  2. Relying Party (RP): The application that relies on the IdP to authenticate users (similar to a Service Provider in SAML).
  3. ID Token: A JWT (JSON Web Token) containing authenticated user information.
  4. UserInfo Endpoint: An API that returns claims about the authenticated user.
  5. Scopes: Define what user information the client application can access.

OIDC Flow

  1. User attempts to access a client application (RP).
  2. Client redirects to the OIDC provider (IdP) with an authentication request.
  3. IdP authenticates the user and obtains consent.
  4. IdP redirects back to the client with an authorization code.
  5. Client exchanges the code for ID and access tokens.
  6. Client validates the ID token and can use the access token to fetch additional user information.

OIDC Pros and Cons

Pros:

  • Built on JSON and REST, making it more developer-friendly
  • Lighter weight than SAML
  • Better suited for modern web and mobile applications
  • Provides both authentication and authorization

Cons:

  • Newer standard with evolving best practices
  • Some enterprise features require extensions

Comparison: SAML vs. OIDC

FeatureSAMLOIDC
FormatXMLJSON
ComplexityHigherLower
TokenSAML AssertionJWT
TransportVarious bindingsHTTPS
Mobile-friendlyLessMore
Enterprise adoptionVery highGrowing
Implementation difficultyHigherLower

Dex: An Open Source Identity Provider

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. It acts as a portal to other identity providers through "connectors." This lets your apps trust Dex for authentication while Dex trusts external identity providers.

Key Features of Dex

  1. Connector System: Integrates with various backend identity providers (LDAP, SAML, OAuth, etc.)
  2. Identity Federation: Aggregates identities from multiple sources
  3. OIDC Provider: Implements the OpenID Connect protocol
  4. Stateless JWT Tokens: Uses modern JWT-based authentication
  5. Lightweight: Designed to be a thin layer between your applications and identity providers

In our project, we'll use Dex to:

  1. Set up a local identity provider
  2. Connect it to a Python web application
  3. Demonstrate authentication flows

This will give you hands-on experience with modern authentication while learning the underlying concepts.