Understanding SSO and OAuth2.0: Concepts, Processes, and Differences

SSO (Single Sign‑On) separates authentication from business systems by using a central login center, allowing users to access multiple services after a single login.

OAuth2.0 is a token‑based authorization protocol that can also be used to implement SSO; it involves an authorization server, resource server and client, and supports several grant types.

SSO

Typical SSO flow (illustrated with the CAS framework) includes steps such as redirecting an unauthenticated request to the CAS server, user login at the CAS server, issuance of a ticket, and the business application validating the ticket to create a local session (e.g., JSESSIONID ).

OAuth2.0

The authorization‑code grant is the most common and secure flow, suitable for web applications with a backend. Other grants include implicit, password, and client‑credentials, each described briefly.

The authorization server authenticates the user, while the client (the business application) receives the user’s information and permissions after a successful login.

Key Terminology Differences

SSO is a design concept; OAuth2.0 is a protocol for delegated authorization that can be leveraged to achieve SSO; Spring Security and Shiro are Java frameworks that enforce access control.