LogoLogo
  • Technical Direction
  • Technical overview
    • Technical Implementation
    • API Design Guide
      • Data Definitions and Standards
      • Data Transfer Objects
      • Documentation
      • Environments
      • Error Handling
      • Example API Service
      • GraphQL Naming Conventions
      • Methods
      • Naming Conventions
      • Once Only Principle
      • Pagination
      • Resource Oriented Design
      • REST Request
      • REST Response
      • Security
      • Versioning
    • Ísland.is Public Web Data Flow
    • Code Reviews
    • Code Standards
    • Monorepo
    • Project Management
    • Teamwork
    • Architectural Decision Records
      • Use Markdown Architectural Decision Records
      • Use NX
      • Continuous Integration
      • CSS
      • Branching and Release Strategy
      • Error Tracking and Monitoring
      • What API Management Tool to Consider
      • Viskuausan Static Site Generator
      • Use OAuth 2.0 and OpenID Connect As Protocols for Authentication and Authorization
      • Unified Naming Strategy for Files and Directories
      • CMS
      • Open Source License
      • What Chart Library Should We Use Across Island.is?
      • What Feature Flag Service/application Should We Use at Island.is?
      • Logging, Monitoring and APM Platform
      • ADR Template
    • Log Management Policy
  • Products
    • Island.is Authentication Service
      • Terminology
      • Integration Options
      • Authentication Flows
      • Authorising API Endpoints
      • Session Lifecycle
      • Scopes and Tokens
      • Delegations
      • Configuration
      • Tools and Examples
      • Environments
      • Test IAS with Postman
      • Using the IAS admin portal
    • Notifications / Hnipp
      • New Notification Setup Guide
      • Notifications service workflow overview
      • Email notifications
    • Pósthólfið
      • Security Checklist
      • Introduction
      • Skjalatilkynning API
      • Skjalaveita API
      • Sequence Diagram
      • Interfaces
    • Straumurinn (X-Road)
      • Architecture Guidelines for Service Providers and Consumers
      • Setting up an X-Road Security Server
        • Network Configuration
      • X-Road - Uppfærsla á öryggisþjónum
      • Straumurinn - Notkun og umsýsla
      • X-Road Central - current version
  • Development
    • Getting Started
    • Generating a New Project
    • Definition of done
    • Devops
      • Continuous Delivery
      • Database
      • Dockerizing
      • Environment Setup
      • Logging
      • Metrics
      • NextJS Custom Server
      • Observability
      • Operations Base Principles
      • Security
      • Service Configuration
      • Support
    • AWS Secrets
    • Feature Flags
    • Documentation Contributions
    • Defining Monorepo Boundaries With Tags
    • OpenAPI
    • Code Generation
    • Workspace Settings (Deprecated)
    • External Contributions
  • REFERENCE
    • Problems
      • 400 Validation Failed
      • 400 Attempt Failed
      • 403 Bad Subject
      • 400 500 Template API Error
    • Glossary
  • Misc
    • Guide: Adding a Payment Step to an Application
    • Guide: Enable Organisations to Make Requests to an Application
    • README Template
Powered by GitBook
On this page
  • Context and Problem Statement
  • Decision Drivers
  • Considered Options
  • Decision Outcome
  • Pros and Cons of the Options
  • OAuth 2.0 + OpenID Connect
  • SAML 2.0

Was this helpful?

  1. Technical overview
  2. Architectural Decision Records

Use OAuth 2.0 and OpenID Connect As Protocols for Authentication and Authorization

  • Status: accepted

  • Date: 2020-06-02

Context and Problem Statement

What protocol(s) shall we use as the new standard for authentication and authorization. It would be supported by our new centralized authority server and should be implemented in all new clients and resource systems needing authentication or authorization. A requirement might be made that the authority service need to support other protocols for legacy systems but all new systems should be encourage to use the same protocol.

Decision Drivers

  • Secure

  • Well defined and well reviewed standard

  • Easy to implement by client and resource systems

  • Support for non web client systems i.e. mobile devices

Considered Options

  • OAuth 2.0 + OpenID Connect

  • SAML 2.0

Decision Outcome

Chosen option: "OAuth 2.0 + OpenID Connect", because it is secure and well examined and and has support libraries for our tech stack.

Pros and Cons of the Options

OAuth 2.0 + OpenID Connect

  • Good, because the authentication protocal is designed specifically to work with the authorization protocol.

  • Good, because it supports non web clients i.e. native apps.

  • Good, because it has certified, open source libraries for relying parties for OpenID authentication that match our

    tech stack (javascript with typescript defenitions).

  • Bad, because it could require large tokens for authorization for multiple services, or split up tokens complicating

    the process.

SAML 2.0

  • Good, because it is the currently used standard for legacy systems.

  • Bad, because it doesn't have good support for non web clients.

  • Bad, because main focus is on enterprise SSO, not centralized authorization.

PreviousViskuausan Static Site GeneratorNextUnified Naming Strategy for Files and Directories

Last updated 2 years ago

Was this helpful?