Identity and access control

OAuth 2.0, defined in RFC 6749 (2012), allows a resource owner to grant a third-party client limited access to a protected resource without sharing their credentials. It delegates authorisation, not authentication. Four roles are involved: the Resource Owner (user who owns the data), the Client (application requesting access), the Authorisation Server (issues tokens after authenticating the user), and the Resource Server (hosts protected resources and validates tokens).

Authorization Code with PKCE (RFC 7636) is the correct flow for all public clients: single-page applications, mobile apps, and CLI tools where a client secret cannot be stored securely. The client generates a random code_verifier, hashes it with SHA-256 to produce a code_challenge, and includes the challenge in the authorisation request. The server stores it and later verifies the original verifier during the token exchange. An intercepted authorisation code is useless without the verifier, which never left the client device.

Client Credentials flow is for machine-to-machine communication where there is no human resource owner. A backend service authenticates directly with the authorisation server using its own client_id and client_secret, receiving an access token scoped to its permitted operations.

The Implicit flow is deprecated in RFC 9700 (OAuth 2.0 Security Best Current Practice) because access tokens appear in the URL fragment, exposing them to referrer headers and browser history. The Resource Owner Password Credentials flow requires the app to handle raw user passwords, defeating the purpose of OAuth delegation.

OpenID Connect (OIDC), standardised by the OpenID Foundation in 2014, is an identity layer built on top of OAuth 2.0. OAuth 2.0 handles authorisation (what you can do); OIDC handles authentication (who you are). OIDC adds an ID token, a UserInfo endpoint, and standardised claims about the authenticated user.

An OAuth 2.0 access token grants access to a resource. It says nothing about who the user is and should not be parsed to determine user identity. An OIDC ID token is a JWT carrying claims about the authenticated user: sub (subject identifier), email, name, iat (issued at), exp (expiry), and others. It is intended for the client, not the resource server.

Security Assertion Markup Language (SAML) 2.0, standardised by OASIS in 2005, remains dominant for enterprise single sign-on in environments with large on-premises directories such as Microsoft Active Directory Federation Services. SAML uses XML-based assertions: authentication assertions (proves login), attribute assertions (carries user attributes), and authorisation decision assertions (states what the user may do).

SAML's weakness relative to OIDC is complexity. In 2018, researchers disclosed XML signature wrapping vulnerabilities affecting Duo Security, OneLogin, and GitHub Enterprise (CVE-2018-7340 and related). An attacker with any valid account could forge assertions for arbitrary users by manipulating the XML structure. Libraries implementing SAML must be kept current and validated against known wrapping attack patterns.

A JSON Web Token consists of three Base64URL-encoded segments separated by periods: header.payload.signature. The header specifies the token type and signing algorithm. The payload carries claims: sub (subject), iss (issuer), aud (audience), exp (expiry), iat (issued at), and scope. The signature is a cryptographic proof over the header and payload; for RS256 it uses the authorisation server's private key and is verified by the resource server using the corresponding public key from the server's JWKS endpoint.

RFC 9068 defines the JWT Profile for OAuth 2.0 Access Tokens. Receivers must validate: token signature, iss against an allowlist, aud against the current service identifier, exp against current time, and nbf (not before) if present.

The alg:none attack is well-documented: some JWT libraries accept a token with "alg":"none" in the header and skip signature verification entirely. Libraries that accept both HS256 and RS256 can also be confused into verifying an RS256 token using the public key as an HMAC secret. Always configure JWT verification to accept only the specific algorithm your authorisation server uses.

Browser-based sessions use cookies. The baseline security attributes are: HttpOnly (cookie inaccessible to JavaScript, prevents XSS theft), Secure (transmitted only over HTTPS), and SameSite=Strict or Lax (prevents CSRF by blocking cross-site cookie submission). The __Host- cookie prefix forces Secure and prevents domain-scoped setting.

Session fixation occurs when an attacker sets a session token before the user authenticates and then waits. The defence is to issue a new session token immediately after successful authentication. Session lifetime must be bounded with absolute timeouts in addition to idle timeouts.

Privilege escalation attacks exploit authorisation logic. Vertical escalation: a low-privilege user gains high-privilege functions by modifying a hidden form field or request parameter containing role data. Horizontal escalation: a user accesses another user's resources at the same privilege level by changing an identifier in the URL. Both are prevented by server-side authorisation checks on every request, never trusting client-supplied role or permission data.