I'm working on a set of systems that are exposing REST APIs that are authenticated using OAuth 2. Various of these systems have their own indpendant sets of user accounts, there is no common notion of a user identifier across all the systems.
For interactive usage we already have a SAML Single Sign On solution, so the users can sign on once to the identity provider (which knows their user accounts in all systems) and then be automatically signed in to each system using SAML.
I'd like to extend this pattern to our OAuth 2 authenticated APIs. I.e. allow the users to authenticate once with their Identity Provider credentials, then be able to trigger the OAuth 2 authentication flow against each system to obtain a bearer token, without the need for the user to enter each set of credentials.
I've found 2 draft specs that would allow me to achieve this:
- SAML 2.0 Profile for OAuth 2.0 Client Authentication and AuthorizationGrants which would allow me to start an OAuth authentication flow with a SAML request
- JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants which would allow me to do the same thing using JWT rather than SAML
But these are both draft, and before investing too heavily I'd like to understand if these patterns are in relatively wide usage or if I'm backing an edge case technology.
So my questions are:
- Are these kinds of SSO pattern common with OAuth 2?
- Are there alternatives in common use for solving the same problem?
It appears that these drafts were authored by Salesforce.com and are in use by them: SAML, JWT.
I've also seen a few questions here around their use for Salesforce.com which would suggest they're actually used at least.
I also see an unanswered question asking if Windows Azure supports this flow which would suggest that other people are at least looking for the same problem.
It appears that google uses the JWT variant for server to server applications using a "service account" Details Here