Authentication verifies identity. OAuth 2.0 (RFC 6749) is an authorisation framework (not an authentication protocol) that issues access tokens; it is extended by OIDC (OpenID Connect) to add identity via an ID Token (JWT). SAML 2.0 is an XML-based federation standard dominant in enterprise SSO. JWT (JSON Web Token) consists of three base64url-encoded parts: header (algorithm), payload (claims), and signature — signed with RS256 (RSA) or HS256 (HMAC) and optionally encrypted (JWE).

Key Points

  • OAuth 2.0 grant types: Authorization Code (web apps, most secure, uses PKCE to prevent code interception), Client Credentials (M2M, no user), Implicit (deprecated, tokens in URL fragment), Device Flow (TV/CLI).
  • PKCE (Proof Key for Code Exchange, RFC 7636): the client generates a `code_verifier` (random 43–128 char string) and sends `code_challenge = S256(code_verifier)` with the auth request — prevents code interception by malicious apps.
  • JWT validation: verify signature (RS256: check against JWKS endpoint), verify `iss` (issuer), `aud` (audience), `exp` (expiry), and `nbf` (not before) — never trust a JWT without signature verification.
  • JWT size: JWTs average 1–2 KB; sending in every HTTP request header adds measurable overhead at scale — prefer opaque reference tokens (64-byte random string) for external APIs and JWTs only for internal service auth.
  • OIDC scopes: `openid` (mandatory, returns ID Token), `profile` (name, picture), `email`, `address`, `phone` — request only the scopes needed; avoid `offline_access` unless refresh tokens are required.
  • SAML 2.0 flow: SP-initiated SSO — SP redirects to IdP with SAMLRequest (AuthnRequest), IdP authenticates user and POSTs SAMLResponse (signed XML assertion) back to SP's Assertion Consumer Service URL.
  • Access token lifetime: keep short (5–15 minutes for public clients) and use refresh tokens (longer-lived, rotated on each use) to obtain new access tokens — short-lived tokens limit blast radius of token theft.
  • Token revocation: OAuth 2.0 Token Revocation (RFC 7009) allows clients to invalidate refresh tokens; introspection (RFC 7662) allows resource servers to validate opaque tokens in real time — expensive at scale, hence prefer short-lived JWTs.

Real-World Example

Okta processes 50+ billion authentication events per month, primarily using OIDC Authorization Code + PKCE for web/mobile apps and SAML 2.0 for enterprise SSO integrations with legacy SaaS apps that predate OIDC.