OculusCyber Logo

OculusCyber

Home

Browse Topics

Security Best Practices

AI Security Frameworks

Threat Intelligence

Compliance

OAuth OIDC Concepts and when to use what

By Admin

November 12, 2025

A progressive, enterprise-grade learning path — the kind that builds depth layer by layer: from OAuth fundamentals → PKCE → OIDC → SAML → enterprise use-case integration.

LEVEL 1 — Core Concept: What OAuth 2.0 Really Does

Goal: Understand that OAuth is authorization, not authentication.

The Problem It Solves

Users don't want to hand out their passwords to every app that needs data from another system (Google Photos, Salesforce, etc.). OAuth lets users delegate limited access safely.

Key Roles in Every OAuth 2.0 Transaction

Role

Description

Example

Resource Owner

The user who owns the data

You, the Google user

Client

The app asking for access

A photo-printing app

Authorization Server

Issues tokens after authenticating the user

accounts.google.com

Resource Server

Hosts the protected data

Google Photos API

Core Principle

The client never sees the user's password — only a token representing delegated permission.

Real Enterprise Example

A third-party payroll app integrates with Workday's API.Workday acts as the Authorization + Resource Server, issuing access tokens so the payroll app can read employee data without ever seeing Workday credentials.

LEVEL 2 — OAuth 2.0 Grant Types (Flows)

Each "grant" = a pattern for how the client gets the token.

Flow

Used By

Security Level

Typical Enterprise Use

Authorization Code

Server-side web apps

High

Web app calling corporate APIs

Authorization Code + PKCE

SPAs & mobile apps

Highest

Mobile banking app

Client Credentials

Service-to-service

High

Backend microservices in same org

Resource Owner Password

Deprecated (legacy)

Low

Internal tools only

Device Code

IoT / Smart TVs

Moderate

Login on a smart display

Refresh Token

Extends session

Token renewal for long sessions

LEVEL 3 — PKCE: Securing the Authorization Code Flow

Problem PKCE fixes:Public clients (mobile/SPAs) can't store a client_secret. If an attacker steals the authorization code from the redirect URL, they could redeem it for tokens.

PKCE (RFC 7636) adds a one-time proof of possession step:

  1. App creates random code_verifier → hashes it → code_challenge.
  2. App sends code_challenge in the initial redirect.
  3. Authorization Server stores it.
  4. Later, app redeems the code using its original code_verifier.
  5. Server hashes it again → compares → issues token only if it matches.

Because SHA-256 is one-way, interception of the challenge is useless.

Enterprise Example:Hilton's mobile check-in app → redirects users to login.hilton.com.Even if a malicious Wi-Fi hotspot sniffs the redirect URL, it cannot replay the authorization code because it lacks the code_verifier.

LEVEL 4 — OpenID Connect (OIDC): Adding Authentication on Top

OAuth 2.0 = "Can app X access resource Y?"OIDC = "Who is this user?"

OIDC reuses the OAuth flows but adds the ID Token (a JWT signed by the Identity Provider).

Extra Players

Term

Role

OpenID Provider (OP)

Authenticates user, issues ID Token + Access Token (e.g., Okta, Azure AD, Google)

Relying Party (RP)

The application trusting the OP's identity claims

How It Extends OAuth

  1. Client requests both openid scope and usual OAuth scopes.
  2. After user login, OP issues:
    • Access Token → for API calls
    • ID Token → contains identity claims (sub, email, name, etc.)
  4. Client validates the ID Token's signature and logs the user in.

Enterprise Use Case:Employee signs in to multiple SaaS tools via Azure AD.Azure AD (OP) issues ID Tokens → each SaaS app (RP) trusts them → seamless SSO.

LEVEL 5 — SAML 2.0: The Older Enterprise Workhorse

SAML (Security Assertion Markup Language) predates OIDC.It's XML-based and used heavily in classic enterprise SSO with on-prem IdPs.

Flow Summary

  1. User tries to access a Service Provider (SP) — e.g., salesforce.com.
  2. SP redirects to Identity Provider (IdP) — e.g., Okta, AD FS.
  3. User authenticates.
  4. IdP sends back a SAML Assertion (an XML doc) to the SP.
  5. SP validates the signature (using IdP's public key) → user logged in.

Comparison: OIDC vs SAML

Feature

OIDC

SAML

Format

JSON (JWT)

XML

Transport

REST + HTTPS

Browser POST (Redirect/Artifact)

Primary Use

Modern web/mobile/cloud

Legacy enterprise SSO

Ease of Integration

Simple (JSON tokens)

Verbose XML

Token Type

ID Token (JWT)

Assertion (XML)

Enterprise Pattern

  • SAML for older SaaS like Workday, Salesforce Classic.
  • OIDC for modern microservices and SPAs.Most large orgs run both via an IdP that supports protocol bridging (Okta, Ping, Azure AD).

LEVEL 6 — Tying It All Together in an Enterprise Architecture

1. Identity Federation Hub

Use a central Identity Provider (IdP) such as Okta or Azure AD.

  • Supports both SAML and OIDC.
  • Acts as the Authorization Server for OAuth 2.0 flows.
  • Issues both Access and ID Tokens.

2. Application Types

App Type

Flow

Notes

Web portal

Authorization Code (server-side)

Keeps client_secret secure

SPA / mobile

Authorization Code + PKCE

No secret, PKCE protects flow

Backend microservice

Client Credentials

Machine-to-machine auth

Legacy enterprise

SAML

Bridge via IdP if needed

3. Typical Enterprise Use Cases

Scenario

Protocol/Flow

Description

SSO across corporate apps

OIDC or SAML

Centralized identity via IdP

Mobile banking login

OAuth 2.0 + PKCE

Public client auth

API gateway → microservice

OAuth 2.0 (Client Credentials)

Token-based service auth

Partner access to customer data

OAuth 2.0 (Auth Code)

Scoped, auditable consent

Legacy HR app integration

SAML

XML assertions for identity

Zero Trust app access

OIDC + PKI

Certificates + tokens verify both device and user

LEVEL 7 — Enterprise Security Considerations

  1. Use PKCE for every public client — mandatory in OAuth 2.1.
  2. Always use HTTPS for all endpoints.
  3. Validate redirect URIs to prevent code-injection attacks.
  4. Use short-lived Access Tokens + Refresh Tokens with rotation.
  5. Centralize token issuance at the IdP (Azure AD, Okta, Ping).
  6. Log every token issuance and validation for compliance (PCI/SOC2).
  7. Adopt Zero Trust: every API call re-authenticates via token validation.

LEVEL 8 — Visual Mental Model (Quick Recap)

User (Resource Owner)
   ↓ login/consent
Authorization Server (IdP) ── issues tokens ──► Client App
   │                                        │
   │ access token verifies identity          │
   ▼                                         ▼
Resource Server (API)  ◄───── token ───────  Client (Web/Mobile)

Add OIDC → you also get an ID Token for login.Add PKCE → you protect the Authorization Code from replay.Use SAML → same goal, older XML protocol.

LEVEL 9 — When to Use What

Goal

Best Protocol

Reason

Authorize an app to access user data

OAuth 2.0

Token-based delegated access

Authenticate a user via third-party login (SSO)

OpenID Connect

Adds ID Token for identity

Integrate with legacy enterprise apps

SAML 2.0

Mature, widely supported

Authenticate devices / servers without users

Client Credentials (OAuth) + PKI

Machine-to-machine trust

Hybrid environment (cloud + legacy)

IdP supporting both (Okta/Azure AD)

Protocol bridging

GoalBest ProtocolReason
Authorize an app to access user dataOAuth 2.0Token-based delegated access
Authenticate a user via third-party login (SSO)OpenID ConnectAdds ID Token for identity
Integrate with legacy enterprise appsSAML 2.0Mature, widely supported
Authenticate devices / servers without usersClient Credentials (OAuth) + PKIMachine-to-machine trust
Hybrid environment (cloud + legacy)IdP supporting both (Okta/Azure AD)Protocol bridging
ScenarioProtocol/FlowDescription
SSO across corporate appsOIDC or SAMLCentralized identity via IdP
Mobile banking loginOAuth 2.0 + PKCEPublic client auth
API gateway → microserviceOAuth 2.0 (Client Credentials)Token-based service auth
Partner access to customer dataOAuth 2.0 (Auth Code)Scoped, auditable consent
Legacy HR app integrationSAMLXML assertions for identity
Zero Trust app accessOIDC + PKICertificates + tokens verify both device and user
App TypeFlowNotes
Web portalAuthorization Code (server-side)Keeps client_secret secure
SPA / mobileAuthorization Code + PKCENo secret, PKCE protects flow
Backend microserviceClient CredentialsMachine-to-machine auth
Legacy enterpriseSAMLBridge via IdP if needed
FeatureOIDCSAML
FormatJSON (JWT)XML
TransportREST + HTTPSBrowser POST (Redirect/Artifact)
Primary UseModern web/mobile/cloudLegacy enterprise SSO
Ease of IntegrationSimple (JSON tokens)Verbose XML
Token TypeID Token (JWT)Assertion (XML)
TermRole
OpenID Provider (OP)Authenticates user, issues ID Token + Access Token (e.g., Okta, Azure AD, Google)
Relying Party (RP)The application trusting the OP's identity claims
FlowUsed BySecurity LevelTypical Enterprise Use
Authorization CodeServer-side web appsHighWeb app calling corporate APIs
Authorization Code + PKCESPAs & mobile appsHighestMobile banking app
Client CredentialsService-to-serviceHighBackend microservices in same org
Resource Owner PasswordDeprecated (legacy)LowInternal tools only
Device CodeIoT / Smart TVsModerateLogin on a smart display
Refresh TokenExtends sessionToken renewal for long sessions
RoleDescriptionExample
Resource OwnerThe user who owns the dataYou, the Google user
ClientThe app asking for accessA photo-printing app
Authorization ServerIssues tokens after authenticating the useraccounts.google.com
Resource ServerHosts the protected dataGoogle Photos API