TL;DR: In this overview, we will go over what open standards are and why they matter. We will also go over the top open standards used for identity including OAuth 2, OpenID Connect, JWT, and SAML. Open standards are important to understand but one can easily get overwhelmed by the technical specifications.

"An overview of the top open standards used for identity including OAuth 2, OpenID Connect, JWT, and SAML."

What is an Open Standard?

Identity, and the infrastructure that goes behind making identity secure, lightweight, and reliable, can be a challenge, one that can take up a lot of your team’s time to get just right. One way to reduce the overhead is to utilize open standards, rather than reinventing the wheel.

Open standards are community and industry-driven specifications that can define roles for an app, whether that role is the user, the identity provider, or the service provider, and how those roles talk to each other. Standards also define how apps are able to communicate with each other and to service providers. This can all happen without compromising key details or code.

Open standards can be implemented across many languages, platforms, and technologies, making it easy for a wide variety of organizations to utilize their benefits.

The formation of open standards has created a uniform way of expressing the fundamental keys of identity across the industry, while still allowing flexibility around the specific path of implementation.

"Open standards can be implemented across many languages, platforms, and technologies, making it easy for a wide variety of organizations to utilize their benefits."

Open Standards You May Know

Modern web development relies on a range of well-known open standards that you may already be familiar with. They cover many facets of web development, from JSON (JavaScript Object Notation), used to structure data in a readable format, to HTML (HyperText Markup Language), used for creating web pages, all the way to SAML (Security Assertion Markup Language), which is used for enterprise identities as described below.

Four Common Open Standards for Authentication and Authorization

OAuth 2

OAuth 2 is the latest version of the OAuth protocol, allowing for better authorization flow across many devices and applications. Users can grant a third-party website limited access to their information on another website without exposing their credentials.

OAuth 2 is one of the most widely used open standards for delegating access, one that you as a user probably see implemented often. For example, when you log in to a website that wants access to information from your Google account (i.e., contacts), you grant authorization via OAuth 2. You can find the official docs for OAuth 2 here and view Auth0's thorough overview of OAuth 2.

OIDC (OpenID Connect)

OpenID Connect is an extra identity layer built on top of OAuth 2 that specifies a process for checking a user’s identity by ensuring they are who they say they are.

OIDC is able to retrieve the user’s basic profile information from the identity provider.

For example, when a user visits a website and can log-in via Google or Facebook, that application will then go to Google or Facebook and get those user's credentials. The application then does not have to store the user's basic profile and can utilize Google or Facebook and their storage of the user's information to grant access and verify their identity.

OpenID Connect is API-friendly and can be used across mobile applications, web-based applications, all JavaScript clients, and many other types of clients. OIDC also requires the use of JSON Web Tokens which we will get into next. You can find the official docs for OpenID Connect here.

JWT (JSON Web Tokens)

Sending information, such as user data, across many different applications can be done using JSON Web Tokens. JSON web tokens hash information into a long, encoded string of characters that can be broken into three parts:

  • The header that declares the hashing algorithm and the token type.
  • The payload or data where you could have the name of the user or other relevant information like the token expiration time or the subject.
  • The verifying signature made up of the header, payload, and a secret all hashed together.

The JWT can get long, but this open standard provides a straightforward way to transfer information. If you visit jwt.io, there is a tool there where you can put in any encoded JWT and it will decode it for you as follows:

JWT - encoded:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

JWT - decoded:

Header:

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload:

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Verify Signature:

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  your-256-bit-secret
) secret base64 encoded

JWTs can be verified and trusted because they have a digital signature. That digital signature verifies that nothing was changed while the JWT was being passed. You can find more information on JWTs here.

SAML (Security Assertion Markup Language)

An XML-based open standard, SAML ensures that there is a secure communication of identities between organizations. This is a great tool for businesses when they want to communicate user authentication and authorization information to other organizations that their employee may need access to. Some benefits include:

  • Increased security through a single point of authentication
  • Improved user experience by utilizing a single sign-on access point.
  • A centralized user access control allowing for a one-stop authentication point

SAML utilizes a SSO (single sign-on) format. Digitally signed XML documents are passed between the business and multiple third-party entities they have partnered up with. You can find more information on SAML here.


Summary

As we have learned, the flexibility of open standards allows for the identity industry to be on the same page, reduce overhead, and create a uniform way of expressing the fundamental keys of identity. When everyone implements a standard way of doing things, then the flow over different languages, projects, and teams can go as planned with authentication and authorization.

At Auth0 we use open standards so that we can connect our product to users and clients alike in a standard and secure way. Identity can be tricky, but here at Auth0 you can rest assured that your users are backed by industry-defined open standards. We use open standards to provide you with a secure solution that can be implemented in a matter of minutes. We have you covered, open standards and all.

Want to continue learning about these open standards? Visit the Auth0 docs for the above mentioned open standards:

Sign up for a free Auth0 account here