Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Google Authentication : OAuth2.0 Vs OpenID Connect

I am evaluating the possible options provided by Google for adding google signin in my web application. The possible options as i see are

  1. Google+ Signin
  2. OAuth2.0
  3. OpenID Connect ( OAuth2.0 for Login )

I didnt go with 1st one as it limits the API calls i can make in a day to 10000

Out of 2 & 3, i am inclined to go for 3rd. I dont really need API authorization and i am not concerned about access token expiration in my case. Once i receive user profile from Google, my web app will manage its own session of the user and does not need to query Google for any other data related to the user. And as per Google documentation, #3 allows me to customize User consent screen, while 1 & 2 dont.

Any comments on my comparison between 2 & 3 ?

like image 855
snegi Avatar asked Jan 13 '15 06:01

snegi


People also ask

What is the difference between OAuth 2.0 and OpenID Connect?

OAuth 2.0 is designed only for authorization, for granting access to data and features from one application to another. OpenID Connect (OIDC) is a thin layer that sits on top of OAuth 2.0 that adds login and profile information about the person who is logged in.

Does OpenID use oauth2?

OpenID Connect is built on the OAuth 2.0 protocol and uses an additional JSON Web Token (JWT), called an ID token, to standardize areas that OAuth 2.0 leaves up to choice, such as scopes and endpoint discovery.

Is OpenID Connect dead?

Is OpenID Dead? Yes, OpenID is an obsolete standard that is no longer supported by the OpenID Foundation.

Is Google OpenID Connect?

Google's OAuth 2.0 APIs can be used for both authentication and authorization. This document describes our OAuth 2.0 implementation for authentication, which conforms to the OpenID Connect specification, and is OpenID Certified.


1 Answers

In fact 2. is comprised of a Google specific usage/extension of OAuth 2.0 to establish user identity on top of the authorization provided by core OAuth 2.0. Using 2. you would have to ensure that you only receive the access token in a code flow and you would have to perform a Google specific introspection call to find out who the user is, where the user's identity is returned in Google specific claims.

On the other hand,3. is a standardized way to login users through a 3rd-party provider so it is a future safe choice for which you'll find more support in libraries/sdk's (well at least in the near future).

like image 196
Hans Z. Avatar answered Sep 22 '22 10:09

Hans Z.