What is OAuth? | SAML vs. OAuth

OAuth is a protocol for extending user authorization across multiple applications without sharing the user's identity authentication data with those applications.

Learning Objectives

After reading this article you will be able to:

  • Learn what OAuth is and how it works
  • Explore the difference between authentication and authorization
  • Contrast SAML vs. OAuth

Copy article link

What is OAuth?

OAuth is a technical standard for authorizing users. It is a protocol for passing authorization from one service to another without sharing the actual user credentials, such as a username and password. With OAuth, a user can sign in on one platform and then be authorized to perform actions and view data on another platform.

OAuth makes it possible to pass authorization from one application to another regardless of what the two applications are. OAuth is one of the most common methods used to pass authorization from a single sign-on (SSO) service to another cloud application, but it can be used between any two applications. Other protocols can perform this function as well, although OAuth is one of the most widely used ones.

Imagine a visitor comes to a house when the homeowner is not there, and instead of sending the visitor an actual house key, the owner sends them a temporary code to get into a lockbox that contains the key. OAuth works in a similar manner. In OAuth, one application sends another application an authorization token to give a user access, instead of sending the user's credentials.

How do OAuth authorization tokens work?

Suppose Alice wants to access her company's cloud file storage application. She has already signed into her company's SSO, but she has not yet accessed the file storage application that day. When she opens up the file storage application, instead of simply letting her in, the application requests authorization for Alice from her SSO.

In response, the SSO sends an OAuth authorization token to the application. The token contains information about what privileges Alice should have within the application. The token will also have a time limit: after a certain amount of time, the token expires and Alice will have to sign in to her SSO again.

OAuth tokens are typically sent using HTTPS, meaning they are encrypted. They are sent at layer 7 of the OSI model.

What is OAuth used for?

OAuth can be used both for authorizing users and for allowing one application partial access to another application. One use case that users often encounter is allowing an app to access a social media platform or another online account. Google user accounts can integrate with a lot of different consumer applications, such as blogging platforms, news websites, and various online games. In those cases, the OAuth protocol is used behind the scenes to enable those external apps to access the necessary data from Google.

For businesses, the more common use case for OAuth is in conjunction with identity and access management (IAM) systems. Users may be authorized for application usage via OAuth. For example, an employee can sign in to their company's SSO system with their username and password. This SSO system gives them access to all the applications they need in order to do their jobs, and the SSO system does this by passing OAuth authorization tokens to these apps.

OAuth is one of several authorization protocols that are in use today. These authorization protocols are necessary because there needs to be some way to send authorization information between applications without exposing user login data. Some platforms have developed their own authorization methods: for example, Facebook offers Facebook Connect.

What is OAuth 2.0?

OAuth 2.0 is the latest version of OAuth. The first version of OAuth was published in 2010. OAuth 2.0 was published in 2012, and it fixed a number of vulnerabilities that were present in OAuth 1.0.

SAML vs. OAuth: What is the difference between authentication and authorization?

Authorization and authentication sound similar but are not quite the same thing within access management, and the difference between them is very important for understanding how access management technology (including OAuth) works. Authentication has to do with user identity, whereas authorization has to do with user privileges.

Imagine Bob works in a secure facility with a guardhouse out front. All vehicles that enter the facility stop at the guardhouse, and only known employees are allowed in. The guardhouse is where user authentication takes place: the security guards check Bob's identification card against a list of employees and check his vehicle license plate against a list of allowed vehicles. If they are able to authenticate him and his vehicle, he can drive in and park in the facility parking lot.

However, just because Bob can drive into the facility does not mean he can park his vehicle anywhere he wants. Instead, there are designated parking lots for each type of employee. Bob can only park in his designated parking lot; he cannot take the CEO's parking spot.

OAuth is a protocol for authorization: it ensures Bob goes to the right parking lot. In contrast, Security Assertion Markup Language (SAML) is a protocol for authentication, or allowing Bob to get past the guardhouse.

An identity provider (IdP) or SSO service can use both in conjunction with each other, or OAuth alone (although using OAuth for authentication is considered "pseudo-authentication").

To summarize: SAML and OAuth are different protocols and are used for different purposes, but both are often used with SSO.

Does Cloudflare offer user authentication or authorization?

Cloudflare Zero Trust does not currently offer user authentication — e.g. an SSO service — but it does enable organizations to manage user access and privileges. Cloudflare makes it possible to manage user authorization without the use of a virtual private network (VPN).

Cloudflare Zero Trust integrates with a variety of SSO providers and can even integrate with multiple SSOs, making it easier to provide external agencies and contractors with systems access. Read a blog post about multi-SSO with Cloudflare to learn more.