OAuth is not Single Sign On
February 24th, 2017
Posted in General
We have seen a lot of questions come in about using WordPress OAuth Server for Single Sign On. From these questions we are starting to see that there is a misconception about OAuth being Single Sign On (aka SSO).
What is OAuth?
OAuth1.0a and OAuth 2 are a user authentication protocol that allows a user to authorize access for an outside system to act on their behalf. The protocol uses what is known as access tokens. Once and access token is obtained, an outside system can then do things on behalf of the user.
What is Single Sign On?
SSO is a term used by many that describes a user being able to use the same user credentials on many different systems. For example, you may want your users to be able to seamlessly log into your intranet, your CRM system and ticketing system using only a single login.
So why is OAuth not Single Sign On?
SSO is not the same thing as OAuth. Period… SSO simply uses OAuth (one of many ways) as a means to allow the same user credentials on multiple systems. The processes that the OAuth protocol takes can be used to obtain an access token. Once an access token is obtained, a system make a request to the OAuth provider for the users information. Using this information, a system can ten check to see if the user has an account in its own database. If the user does not have an account, the system can then create an account using the user’s email or other unique identifier.
All of this process takes place behind the scenes making the connection and login process SSO.
What about WordPress Single Sign On?
Using a plugin like WP OAuth Server, you can enable your WordPress site to act like an OAuth Provider. Being an OAuth provider will give you the abilities to provide SSO to any outside system that wants to use your WordPress user database as it own.
In short, OAuth is not Single Sign On but rather a means to provide SSO.