I am working on a project to implement token based authentication in a system. I was thinking about using either SAML or OAuth.
I wanted to know if it is possible to represent the actual policies (which are ACL based for the system) inside the token. With the current design, I was thinking about giving the user a token which would contain all the resources and the permitted roles. The service, upon the request of the user, which check this token to see if the user has the required permission on the resources involved.
Is it possible to be represented using either SAML/OAuth tokens? If it is possible in both, which one should be used here. From most of the examples I saw, SAML is used for SSO solutions and OAuth is used for defining actual authorization policies. But it was not clear from the demos/examples if it is possible to give restrictive access on a particular resource using OAuth.
e.g. when a Facebook app wants to access your photos using OAuth, is it possible to restrict the access to only a particular album? Or is it more like all or nothing approach. Are there any resources which I can read to get more information?
Most architectures (for both SAML and OAuth) use tokens that contain attributes upon which the relying party (or receiving API) then interprets and applies its own policy (ACL) upon.
In the case of OAuth, scopes are used to designate what permissions the Access Token represents. Scopes can be as fine grained as you like (to cover cases like single photo album restriction). These may have been authorized by the user in certain OAuth flows. The token itself is not defined in the OAuth 2.0 spec – but you could make the format self-contained (perhaps digitally signed by the token issuer) so the scopes are held within it. Some models use opaque tokens that need to be validated via callback (maybe back channel) to the issuer, then the scopes are returned to the relying party.
In SAML, an Attribute Statement can be present within a Assertion for a similar purpose. The relying party interprets individual attributes to determine what the user is authorized to do. The Attribute Statement may come through as part of SSO or it might be obtained via AttributeQuery at some later point (after authentication).