I am developing an Android application which requires users to register and log on to a website and then use that registration information in an Android app. Should I be using oauth or openid or is there something better to make it not a requirement that I develop a single-use authentication system?
For most cases, we recommend using the Authorization Code Flow with PKCE because the Access Token is not exposed on the client side, and this flow can return Refresh Tokens. To learn more about how this flow works and how to implement it, see Authorization Code Flow with Proof Key for Code Exchange (PKCE).
OAuth 2.0 is designed only for authorization, for granting access to data and features from one application to another. OpenID Connect (OIDC) is a thin layer that sits on top of OAuth 2.0 that adds login and profile information about the person who is logged in.
OAuth 2.0 is much more usable, but much more difficult to build securely. Much more flexible. OAuth 1.0 only handled web workflows, but OAuth 2.0 considers non-web clients as well. Better separation of duties.
Want to quickly set up an identity platform, choose OIDC over SAML, without thinking twice. Implementing a basic OIDC solution is much simpler, compared to SAML, which would require heavy-weight XML processing. Have an API-centered architecture, with a lot of mobile and single-page applications, use OIDC.
OpenID
If you're just looking to authenticate a user in your android app without exchanging data between your application and user data stored & managed by a third party service provider (like google,flickr,facebook,....), then OpenID might be the better option for you.
There is a java based library that should work on the Android platform called openid4java.
OAuth
OAuth, although part of the workflow involves authenticating against an OAuth service provider, is more focussed on the authorization part, as it is to a large degree unaware of the underlying authentication mechanism.
If you want your application to act on the users behalf (to fetch user data stored at a third party that supports oauth), then OAuth is an interesting option. OAuth is not capable of acquiring the identity of the user, it merely acts as an authorization mechanism for an already identified user.
Signpost is a java based library that works on Android.
OpenID Connect
For early adopters, another interesting solution on the horizon is Open ID connect, that combines the best of the 2 worlds.
Take a look at the following posts for more background info.
And of course the specs :
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With