# Use OAuth 2.0 and OpenID Connect As Protocols for Authentication and Authorization * Status: accepted * Date: 2020-06-02 ## Context and Problem Statement What protocol(s) shall we use as the new standard for authentication and authorization. It would be supported by our new centralized authority server and should be implemented in all new clients and resource systems needing authentication or authorization. A requirement might be made that the authority service need to support other protocols for legacy systems but all new systems should be encourage to use the same protocol. ## Decision Drivers * Secure * Well defined and well reviewed standard * Easy to implement by client and resource systems * Support for non web client systems i.e. mobile devices ## Considered Options * OAuth 2.0 + OpenID Connect * SAML 2.0 ## Decision Outcome Chosen option: "OAuth 2.0 + OpenID Connect", because it is secure and well examined and and has support libraries for our tech stack. ## Pros and Cons of the Options ### OAuth 2.0 + OpenID Connect * Good, because the authentication protocal is designed specifically to work with the authorization protocol. * Good, because it supports non web clients i.e. native apps. * Good, because it has certified, open source libraries for relying parties for OpenID authentication that match our tech stack (javascript with typescript defenitions). * Bad, because it could require large tokens for authorization for multiple services, or split up tokens complicating the process. ### SAML 2.0 * Good, because it is the currently used standard for legacy systems. * Bad, because it doesn't have good support for non web clients. * Bad, because main focus is on enterprise SSO, not centralized authorization. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.devland.is/technical-overview/adr/0008-use-oauth-and-openid-connect.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.