Questions: Why JWT? SAML vs OAuth vs JWT

From IIW

Questions: Why JWT? SAML vs OAUTH vs JWT

Tuesday 1K

Convener: Venkata Tadepalli

Notes-taker(s): Venkata Tadepalli

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

1.       JWT and SMAL are two different formats of getting assertions from Identity Provider (IdP)

2.      OAUTH is an authorization protocol used for delegated access; here  the Service Provider (SP) issues  the access token and refresh tokens.  These tokens can be issued in JWT format

3.      SP is not required to verify the JWT in the following Use Case;

  • If the ServiceA  has received the JWT from IDP and  is not intended to delegate any access to 3rd party service
  • And the JWT has sufficient claims that needed for the ServiceA to process the request
  • And the ServiceA can verify the JWT signature with the help of the public key (if the JWT comes with public key)