Understanding SSO and OAuth2.0: Concepts, Processes, and Differences

Overview : SSO (Single Sign‑On) and OAuth are both token‑based authentication methods that replace user passwords when accessing applications. SSO separates login authentication from business systems via an independent login center, while OAuth2.0 is a protocol that authorizes third‑party apps to access resources on another server.

1. SSO

The SSO process typically involves the following steps:

User accesses a protected application and is redirected to the CAS server with a service parameter. If the user is not logged in, the CAS server redirects to the login page; otherwise it creates a global session and redirects back. User submits credentials on the SSO login page. CAS validates the password and issues a ticket to the business system. The business system validates the ticket with CAS, obtains user information, and creates a local session (e.g., JSESSIONID ). Subsequent interactions use the session ID without re‑authentication.

Typical example: opening the Taobao app and clicking a link to another service logs in automatically without a second password entry.

2. OAuth2.0

OAuth2.0 supports several grant types; the article focuses on the authorization‑code flow, which is similar to SSO but involves an authorization server, a resource server, and a client. In an SSO‑like scenario only the authorization server and client are needed.

Key points:

OAuth2 authorizes third‑party apps to access user resources without exposing passwords.

The authorization server issues a token (often a JWT) that the client uses to retrieve user information.

Four main OAuth2 grant types are described: authorization‑code, implicit, password, and client‑credentials.

3. Terminology Comparison

SSO is an abstract concept/solution; CAS is one framework that implements it. OAuth2 is a protocol for delegated authorization, not originally designed for SSO, but can be used to achieve it. JWT is used to carry the access token. Spring Security and Shiro are Java frameworks for access control.

The article also includes promotional sections for a community offering ChatGPT resources, interview materials, and various paid services, which are unrelated to the technical discussion.