POINT is based on standard protocols and provides support for SAML, OpenID Connect, and OAuth 2.0

The Security Assertion Markup Language (SAML) protocol is an open-standard, XML-based framework for authentication and authorization between two parties, namely the identity provider (IdP) and the service provider (SP).

• The IdP authenticates users and provides an authentication assertion that indicates a user has been authenticated to service providers.
• The SP agrees to trust the identity provider to authenticate users.

POINT supports full coverage and reference implementation of the SAML standard and can serve as the IdP, SP, or both in all edge cases including:

• SAML requests signing and encrypting
• SAML response signing and encrypting
• And Microsoft AD Federation Services

Supported SAML options:

• Single Logout Profile

OIDC is an identity layer built on top of the OAuth 2.0 framework and it allows third-party applications to verify the identity of end-users while obtaining basic user profile information. OIDC uses JSON web tokens (JWTs) which you can obtain using standard-specified flows.

OIDC and JWTs

JWTs contain claims about an entity and additional metadata. The OIDC specification defines standard claims, including names, email addresses, birth dates, and gender. Custom claims can also be created and added to tokens if there isn’t a standard claim to reflect the relevant piece of information.

Grant types

There are four defined flows (grant types) to get an access token:

• Authorization Code Flow: Used by web apps executing on a server. It is also used by mobile apps using the Proof Key for Code Exchange (PKCE) technique. This flow is considered the most secure as it doesn’t reveal tokens to the browser and the client can still be authenticated.
• Implicit Flow: Used by JavaScript-centric apps executing on the user’s browser.
• Resource Owner Password Grant: Used by highly trusted apps. Comes in handy when access to a web browser isn’t possible.
• Client Credentials Grant: Used for machine-to-machine authorization.

The OAuth 2.0 framework is a protocol that allows a user to grant a third-party website or application access to a user’s protected resources without revealing their long-term credentials, or in some cases, their identity.

Roles

An OAuth 2.0 flow has the following roles:

• Resource Owner: An entity that is permitted to grant access to a protected resource, typically an end-user.
• Resource Server: The API you want to access acts as the server hosting the protected resource.
• Client: Application requesting access to a protected resource on behalf of the Resource Owner.
• Authorization Server: Server that authenticates the Resource Owner and issues access tokens after getting authorization.

Flows

There are three defined flows to get an access token via OAuth 2.0:

• Authorization Code Flow: Used by web apps executing on a server and mobile apps.
• Implicit Flow: Required for apps that have no “back-end” on the web server, such as JavaScript.
• Hybrid Flow: Essentially a combination of Authorization and Implicit flows, however, it’s rarely used. It allows the front-end and back-end of an application to receive separate tokens.