I’m reading the docs at https://developer.okta.com and I’m quite confused about Okta’s offerings. I can’t conjure a coherent picture of what Okta does.
Here are some specific points that I hope someone can clarify, confirm, or correct for me:
- Basically, Okta offers three auth mechanisms: OAuth 2.0+OpenID Connect, OpenID Connect only, and finally SAML(2);
- OAuth 2.0+OpenID Connect and SAML are equivalent in functionality, both do authorization (proving who you are and carry access/permission information), but the authorization workflow (and probably the API endpoint URLs) are different; whereas OpenID Connect would be authentication only (just proving who you are).
- An OpenID Connect token does not carry any access/permission information. However, my service backend could still figure out the access/permission granted to the user in some other way (maybe I have a table that maps user IDs to permissions in my own database).
- An OAuth 2.0 token would carry access/permission information, but I guess it’s best used for coarse grained access control? It’s like the OAuth 2.0 token would determine what functions a user or an app can call, and my service backend can further limit what arguments the user or app can call the functions with (or what resources the user or app can affect or retrieve using the functions), correct?
- Conceptually, if I use OAuth 2.0, what am I protecting against what? Am I protecting my user from client apps? Am I protecting my service backend against the user? Or am I protecting my service backend against the client app?
- “API Access Management” is just (an implementation of) OAuth 2.0?