First of all, SSO and permission control are two different things:
1. The CAS system solves the problem of single sign-on, and does not require specific methods of identity authentication.
2. Oauth, openID, and SAML are the norms and standards for identity authentication and authorization, and solve the problem of authentication and authorization.
The difference between OpenID and Oauth protocol can be analyzed from the core application scenarios defined by its standards:
1. The usage scenario of the Oauth protocol: The user prints the photos stored on a certain website through a third-party photo printing application, and does not want to disclose the user name, password and other information of the photo website to the third-party photo printing application.
2. The usage scenario of the OpenID protocol. Users registering on multiple websites need to register and remember multiple usernames and passwords. Openid hopes to provide users with an identity ID that can be used to log in on multiple websites. When logging in to the website, the user chooses to log in with his identity ID, jumps to the website issued by the identity ID, enters the user name and password for identity authentication, and then jumps to the website to log in. That is, we often see using "QQ account login", "WeChat account login" and so on.
So we can summarize the core differences between the two protocols:
1. The authentication credential of the Oauth protocol must be issued by the resource owner; and the authentication credential of OpenID can be any other regular Openid Provider website supported by the website you need to log in to.
2. OpenID is only a symbol of identity, which can be regarded as an ID card; and the Oauth authentication certificate must be issued by the resource owner, not only the certificate of the user's identity in the resource owner's system, but also the certificate of some authorized resource access. Can be seen as a key.
3. SAML supports XACML protocol for permission control. The SAML protocol is indeed more complex than OAUTH, but it is also very powerful, supporting authentication, permission control and user attributes.
Further, when we develop, if it is a single-system authentication, according to the usage scenario and technical characteristics, choose OpenID, Oauth, or SAML. If it is not a single system, not only involves identity authentication, but involves many systems requiring single sign-on, you need to choose the CAS authentication scheme (OpenID/Oauth/SAML) to achieve it.
Explanation of OAuth2.0 authentication and authorization mechanism:
Authentication and Authorization Process (Including 3rd Party)
1. The service provider, the user uses the service provider to store protected resources such as photos, videos, contact lists.
2. The user, the owner of the protected resources stored at the service provider.
3. Client, a third-party application that wants to access the resources of the service provider, usually a website. Before the authentication process, the client needs to apply for the client ID from the service provider.
The user visits the client's website and wants to operate the resources stored by the user in the service provider.
The client requests a temporary token from the service provider.
After the service provider authenticates the client, a temporary token is granted.
After the client obtains the temporary token, it directs the user to the authorization page of the service provider to request user authorization. During this process, the temporary token and the client's callback connection are sent to the service provider.
The user enters a username and password on the service provider's web page, and then authorizes the client to access the requested resource.
After the authorization is successful, the service provider guides the user to return to the web page of the client and returns the authorized temporary credentials.
The client obtains an access token from the service provider based on the authorized temporary token.
The service provider grants the client access token based on the temporary token and the user's authorization.
The client uses the obtained access token to access the protected resources hosted by the user on the service provider. (The client can only access the resource information of the user who is authorized to it)
refer to:
1. https://zhuanlan.zhihu.com/p/20913727
2、http://m.blog.csdn.net/article/details?id=12190075
Original text: http://blog.sina.com.cn/s/blog_165e646820102xdxw.html