EP 11 - Difference between JWT, OAuth, and SAML

Hello friends, one of the most common questions in Java developer interviews nowadays is the difference between JWT, OAuth2.0, and SAML? and when to use them. If you are preparing for Java developer interviews, asked this question, and looking for an answer, you have come to the right place.

While JWT, OAuth, and SAML These are well-known standards used for authentication and authorization purposes in web applications. There are many differences between them.

For example, JWT is JSON Web Token, a standard for securely transmitting information between parties as a JSON object. It is used to authenticate and authorize users and is commonly used in modern web applications. JWTs are digitally signed so that they can be verified and trusted.

On the other hand, OAuth (Open Authorization) is an open standard for authorization that allows third-party applications to access user data without requiring users to share their login credentials. It is commonly used in applications that need to access data from external services, such as social media platforms or APIs.

Similarly, SAML (Security Assertion Markup Language) is another standard for exchanging authentication and authorization data between parties, specifically between an identity provider (IdP) and a service provider (SP). It is commonly used in enterprise applications to provide single sign-on (SSO) functionality.

One of the most famous examples of SAML is SingPass authentication, which is used Singapore Government to access government websites like Vaccination certificates, CPF, IRAS, etc.

Now that we know the basics, it’s time to dive deep and learn them in more detail so that you can answer any follow-up questions.

What is JWT (JSON Web Token)? When to use it?

As I said, JWT stands for JSON Web Token, a type of token used for securely transmitting information between parties. JWTs are commonly used for authentication and authorization purposes in web applications.

A JWT comprises three parts: a header, a payload, and a signature. The header specifies the token type and the signing algorithm, while the shipment contains the transmitted data.