# SSO & OAuth

Quick Reference: Tokens | ACL

# Quick Reference

SSO: Single Sign-On - one login for multiple apps

OAuth 2.0: Authorization framework for delegated access

OpenID Connect: Authentication layer on OAuth 2.0

# Clear Definition

SSO allows users to authenticate once and access multiple applications. OAuth 2.0 enables applications to access resources on behalf of users without sharing credentials.

💡 Key Insight: OAuth 2.0 is for authorization (what can app do), OpenID Connect adds authentication (who is user).

# Core Concepts

# OAuth 2.0 Flow

1. User authorizes app
2. App receives authorization code
3. App exchanges code for access token
4. App uses token to access resources

# OpenID Connect

• Adds authentication to OAuth
• Returns ID token (JWT)
• Standardized user info

# Best Practices

1. Use HTTPS: Always secure
2. State Parameter: Prevent CSRF
3. PKCE: For public clients
4. Scope Limitation: Request minimal scopes

# Quick Reference Summary

SSO: One login for multiple apps.

OAuth 2.0: Authorization framework.

OpenID Connect: Authentication on OAuth.

Key: OAuth for authorization, OpenID Connect for authentication.

Previous Topic: Tokens ←

Next Topic: ACL & Rule Engines →

Back to: Step 10 Overview | Main Index