Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OpenID vs. OAuth [duplicate]

People also ask

What is difference between OpenID and OAuth?

OpenID vs. OAuth. Simply put, OpenID is used for authentication while OAuth is used for authorization. OpenID was created for federated authentication, meaning that it lets a third-party application authenticate users for you using accounts that you already have.

What is the basic difference between OAuth 2 and OIDC?

The main difference between OIDC and OAuth 2.0 is that the token is provided using JSON Web Token (JWT), meaning it is digitally signed, and the Relying Party can verify the token has not been tampered with.

Is OpenID obsolete?

This page lists libraries for OpenID 2.0 – a now obsolete specification. OpenID 2.0 has been superseded by OpenID Connect.

Is OpenID Connect dead?

Is OpenID Dead? Yes, OpenID is an obsolete standard that is no longer supported by the OpenID Foundation.


OpenID is a way to specify one identity for multiple sites so you don't need to register over and over again.

OAuth is a way to allow one application access to one account without giving said application your account login information. You can use them in conjunction.

More info: OAuth-OpenID: You’re Barking Up the Wrong Tree if you Think They’re the Same Thing


If you have an account (with some private resources) in a website, you can log in with username/password couple. If an application would like to get some private resources, and if you don't want to give them your username/password, use OAuth.

But if you want to log in into multiple websites with a unique account, use OpenID.

(Some websites use OAuth like OpenID, and OpenID can be use like OAuth if you have some private stuff in your OpenID account)


OpenID = using login credentials from an OpenID provider (Google) to login to another application (Stack Overflow)

OAuth = Allowing an application (TwitPic) to act on your behalf to and access information from an application that you use (Twitter).

They can be used in conjunction with each other.


OpenID is purely* for multi-site authentication with a single set of credentials.

OAuth is for letting applications access each other securely: data sharing. Think of it as setting a bond of trust between two things, eg allowing your flickr account to post things on your facebook wall or hooking your flickr photos into a third-party printing website.

OAuth isn't just about site-to-site. You can link in desktop applications with no real concept of "identity" to an identity-driven site like Facebook or twitter (eg a twitter client being able to post to your feed without having to store your login details).

There are similarities but OAuth is really all about the service-to-service links.


OpenID is about authentication to many sites with one username.
OAuth is about authorization - site A has permission to call site B's api.

Here's another good article/analogy explaining the differences: http://www.dotnetopenauth.net/about/about-oauth/