SAML & OIDC
In this scenario, a user logs in to a web application where all user interaction takes place nad the session is managed. The web application accesses user data in backend services using a common identifier. The backend APIs are not "aware" of edu-ID.

|
OIDC Authentication
|
SAML Authentication (edu-ID only configuration)
|
RP accesses backend API out of band
OIDC only
In this scenario a user authenticates for a web application. In the course of use, the application must access user data via APIs from third-party systems. The third party system is not in the same security domain and therefore requires independent confirmation that the user has allowed the web application to access 3rd party services.
When the web application accesses an API, it passes along the OIDC access token. The access token is signed by the edu-ID IdP and contains the user's identifier as well as the expiration date (see ID token example below). The access token lifetime is usually 10 minutes.
The API in the backend can check the validity of the access token without having to trust the web application. It thus receives confirmation that the user has allowed the access to the API. Since the access token is in JWT format, the validity check can be performed without interaction with the IdP.

OIDC Authentication
RP accesses backend API out of band
It the API fails to verify the access token, it sends a negative response back to the application. It's the application's responsibility to get a valid access token, either by using a refresh token or by re-authenticating the user.
Access Token Example (simplified)
{
"iss": "https://eduid.ch/",
"sub": "MA2ZRIYFC67J6ABXNA4LMSNQB7ZFMN5Y",
"aud": ["https://grades-api.example.com","https://lms-api.example.com"],
"client_id": "unidemo_student_info_system",
"exp": 1617823587,
"iat": 1617809187,
"scope": "grades courses"
} + signature
References: