Understanding SSO vs OAuth2.0: How Token-Based Authentication Works

1. Overview

SSO (Single Sign On) and OAuth (Open Authorization) both use tokens instead of passwords to access applications. While their processes are similar, their concepts differ. SSO separates authentication from business systems using an independent login center, allowing users to access all related services after a single login.

OAuth2.0 may be less familiar, but it is widely used, e.g., logging into a website via WeChat authorization. In both cases, the user does not have an account/password in the business system; credentials are stored in the login center or the external provider, and tokens replace them for access.

2. SSO

SSO is a concept; frameworks like CAS implement it. Note: SSO is an idea, CAS is just one framework.

The typical flow includes:

User accesses a protected application; if not logged in, they are redirected to the CAS server with a service parameter.

The CAS server checks login status; if not logged in, redirects to its login page; if logged in, creates a global session and redirects back.

User submits credentials to the CAS login page; the login page belongs to the SSO system.

CAS validates the password, then redirects to the business system with a ticket.

The business system receives the ticket, requests user info from CAS, creates a local session (e.g., JSESSIONID).

Subsequent interactions use the session ID.

Common example: opening the Taobao app and clicking links to other services without re‑entering credentials.

3. OAuth2.0

OAuth2.0 has several grant types; here we discuss the authorization‑code flow. The roles are authorization server, resource server, and client. When using OAuth2.0 for SSO, only the authorization server and client are needed.

The authorization server handles authentication; the client is each application that needs the user’s identity and permissions.

User clicks “Login with WeChat” on a site; the site is the client, WeChat’s server acts as the SSO.

WeChat presents an authorization page (its own login UI).

User authorizes, WeChat authenticates and returns a ticket, redirecting back to the client.

The client exchanges the ticket for a token and uses it to obtain user information.

OAuth2.0 Grant Types

Authorization Code

Most common and secure; suitable for web apps with a backend. The code is passed through the front end, while the token is stored securely on the server.

Implicit

Used for pure front‑end applications without a backend; the token is issued directly to the client.

Password

When the client is highly trusted, the user can provide username and password directly to obtain a token.

Client Credentials

For command‑line or service‑to‑service applications without a front end.

Simple Flow Diagram

4. Terminology Differences

SSO is an abstract solution concept; implementation follows its principles.

OAuth2 is a protocol for delegating authorization to third‑party applications; it can be used to achieve SSO, with protected resources being user information and permissions. Tokens (often JWT) carry the access token.

Spring Security and Shiro are Java frameworks for securing access and handling permissions.