OAuth – Much More than Facebook

27 May OAuth – Much More than Facebook

We just recently celebrated a decade of SAML, one of the prevailing standards in the Identity and Access Management world. SAML has been around for a long time, and enables online services accept identity and attribute information from 3rd parties (Identity Providers), and transfer identities across domains or connected services providing end users the smooth single sign-on experience.

OAuth on the other hand has become widely popular through Facebook. Thousands of online sites support Facebook identities, letting users conveniently access the services with their social identities. But OAuth is not just Facebook, it’s a full fledged authorization protocol enabling multiple use cases beyond simple social login.

Many mobile apps are using Facebook to uniquely identify a user when the apps are connecting to the servers, and retrieving data. Using Facebook is easy and convenient for the end users, and it lets the app developers track the user activity and possibly store usage and other data in the servers. Social identities in general are weak, and shouldn’t be considered to protect any confidential information, such as health or financial data.

Not just mobile apps, also desktop applications and especially connected devices (Internet of Everything) can easily integrate OAuth for identifying the user. But not all devices and apps are equal. Apps generating, handling and communicating confidential data should use stronger methods to verify the user identity, and connected devices without any input methods can’t really use direct methods that require user input.

Ubisecure SSO, part of our Identity Platform, has built in support for OAuth 2.0 and can act as an authorization server. Ubisecure SSO also supports over 20 different authentication methods out-of-the-box. These two features enable mobile app, desktop application and device developers/manufacturers easily deploy just the right method for user identity verification by just adding a few lines of code to their app/device.

A mobile app can connect to Ubisecure SSO using the embedded browser component. The web component (e.g. in iOS; webview) will receive the content from Ubisecure SSO where suitable authentication mechanisms can be configured. (Facebook, Google+, mobile PKI, SMS OTP, national eID, Bank IDs etc). This enables the app/application developer to use as simple as possible modification/addition to their apps, and yet still benefit from multiple authentication methods from social to multi-factor out-of-band methods. Another benefit from this approach is that authentication methods can be added or removed anytime without any modifications to the app/application code.

One of the unique features in Ubisecure SSO is something called user driven federation. This feature allows end users to combine different identities, and use the most convenient one for authentication. PKI smart cards are not usable in mobile or device scenarios unless the device has a smart card reader. But with user driven federation the end user can combine their PKI credentials with something that is usable in the mobile use case. Although they wouldn’t be using the PKI smart card for authentication, they could use another identity verified by the smart card identity.

With Ubisecure SSO it is easy to go beyond Facebook. Authenticating a user in e.g. a mobile app using stronger methods than social identities only need a few lines of embedded code.