Questions: Why JWT? SAML vs OAuth vs JWT
From IIW
Questions: Why JWT? SAML vs OAUTH vs JWT
Tuesday 1K
Convener: Venkata Tadepalli
Notes-taker(s): Venkata Tadepalli
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
1. JWT and SMAL are two different formats of getting assertions from Identity Provider (IdP)
2. OAUTH is an authorization protocol used for delegated access; here the Service Provider (SP) issues the access token and refresh tokens. These tokens can be issued in JWT format
3. SP is not required to verify the JWT in the following Use Case;
- If the ServiceA has received the JWT from IDP and is not intended to delegate any access to 3rd party service
- And the JWT has sufficient claims that needed for the ServiceA to process the request
- And the ServiceA can verify the JWT signature with the help of the public key (if the JWT comes with public key)