oauth2 is not intended for Single Sign On

[restourgie]

I would like to inform you that oauth2 is not intended for Single Sign On.

Just to quote RFC6749: The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

The protocol you need to implement for Single Sign On is OpenID Connect: https://openid.net/specs/openid-connect-core-1_0.html The protocols are very much alike. For instance the authorisation code flow (the most secure and recommended) protocol only differs with the tokens you obtain from the OpenID Provider (an Identity Token on top of an Access Token)

[aarondl]

The idea is to have authboss enable your website to use say Github logins via oauth2 and retrieve information from Github to use on your site.

So having said that, I'm not sure why you're informing me that oauth2 is not used for single sign on. Is it because we attempt to coerce multiple different oauth2 accounts into the same database user?

[restourgie]

Ah ok! The use case is a valid one. The reason I got confused was because Authboss states that is an authentication system. Thus being able to support federated login (SSO) via either SAML2 or OIDC in both ways (as a 3rd party or providing sso for 3rd parties) sounds like a valid authentication use case. Authorisation on the other hand could be seen as a bit of a scope creep.

[aarondl]

Makes sense. Thanks for the comment.