Understanding the Difference Between SSO and OAuth2.0: Authentication vs Authorization

1. Authentication and Authorization

Authentication verifies a user’s identity using credentials such as username/password, one‑time passwords, or biometrics. Authorization occurs after authentication and determines which resources (files, APIs, databases, etc.) the authenticated user is permitted to access.

2. Single Sign‑On (SSO)

SSO is an authentication mechanism that allows a user to log in once and then reuse that authentication state across multiple internal applications. The typical SSO flow is:

The client checks whether the user already possesses a valid session token.

If no valid token exists, the client redirects the user to an authentication center (identity provider).

The user supplies credentials; the authentication center validates them and issues a signed token (e.g., JWT) to the client.

The client presents the token to the authentication center for validation on each subsequent request. If the token is valid, the center returns the user’s identity and associated permissions.

Other internal services accept the same token, allowing the user to access them without re‑entering credentials.

3. OAuth 2.0

OAuth 2.0 is an authorization framework that enables a user to grant a third‑party application limited access to resources hosted by a service provider without exposing the user’s password. A common authorization‑code grant flow proceeds as follows:

The client redirects the user’s browser to the authorization server.

The user authenticates (e.g., with username/password) and consents to the requested scopes.

Upon successful consent, the authorization server issues an authorization_code to the client via a redirect.

The client exchanges the authorization_code for an access_token (and optionally a refresh_token) by authenticating itself to the token endpoint.

For each request to the resource server, the client includes the access_token (typically in the HTTP Authorization header). The resource server validates the token before returning the protected data.

4. Relationship between SSO and OAuth 2.0

OAuth 2.0 focuses on delegated authorization; it does not define how the user authenticates.

SSO provides a shared authentication layer that can be built on top of OAuth 2.0 or other protocols.

In practice, SSO is often a prerequisite for OAuth 2.0 because the authorization server must first confirm the user’s identity before issuing an authorization code.

Many commercial implementations (e.g., Google, GitHub) combine SSO for authentication with OAuth 2.0 for authorization, allowing a single login to be reused across multiple services.