Simple registration+login using OAuth 2.0

Question

I am a bit confused about OpenID OAuth stuff. (by OAuth - i mean OAuth 2.0 here and later)

My target is to create a site with OpenID (or OAuth) auth as well as with legacy email + password auth. The site will be on django framework. (python) I understand difference between OAuth and OpenID and diff between authorization and authentification.
My primary goal is to implement openid login with google as identity provider.

The login and register flow must be just like on many sites. As i see:

register scenario:

1) user enters openid url (clicks google button)

2) user gets redirected to auth provider ( google ) page says: "Awesome site" ask for your: email, language, country...

3) user says yes.. gets redirected back behind the scenes "Awesome site" retries email language and other user info using access token

4) User fill other stuff needed in profile.. and this is it.. hes now registered.

Login scenario:

1) user enters openid url (clicks google button)

1.a) if user already logged in on auth provider hmm... it is unclear to me.. but somehow user get logged in without displaying a provider page (maybe it is closes fast? )

1.b) if the user not logged on provider then provider displays login page and redirect back to awesome site on success.

Because i have to get some user data it is seem to me that i have to use: OAuth or Hybrid ( OpenID + OAuth extentions ) protocol.

The things that are not clear to me:

1. How do i get scopes for info i need.. i searched but cant find.. found on someones blog "https://www.googleapis.com/auth/userinfo#email" for email but how about user language, country.. etc.. where it is documented ?
2. If i will use OAuth - will it be enough to do both - the registration and login or i will have to fetch user data wuth OAuth and login with OpenID?
3. Is it ok to use OAuth 2.0 in my scenario ? or it will be more simple to use 1.0 because i dont need user data anymore after initial account registration ? (i think 1.0 is more complex because it has 3 phases .. but 2.0 is more complex because access token expires.. but expiration wont be a problem in my scenario as i don't need user data after registration)
4. There are few libs lying out there: while reading google api docs i found:
   • google-api-python-client
   • openid-python-openid
   • gdata-python-client ( supposed to be api to google services dont know if it has oauth in it hm.. according to this http://code.google.com/intl/ru/apis/gdata/docs/auth/oauth.html it have oauth in it )
   • python-oauth-client (http://code.google.com/p/python-oauth-client/)
   • i though thats a lot but then found: http://your-move.appspot.com ( source files: https://github.com/sje397/Chess ) which seems to be using google.app.engine lib from google.appengine.api import users
   So which one to choose ?
5. So far i came that the simplest implementation would be: Like this: http://code.google.com/p/google-api-python-client/source/browse/samples/oauth2/django_sample/buzz/views.py But lines 38-44: in my case would fetch user email language and other stuff (and also i will use other scope .. line 29 ) for a new registered user.. or if it is registered user just ignore credential and delete it. ( continue with the site session ) Am i wrong ? I saw so many implementation on libs mentioned above that i doubt that i am right.
6. And also another question: my fallback legacy auth will use email as login.. If an identity provider is email provider ( google ).. When user tries to log in i can fetch email from provider.. and search email fetched from provider in database.. so i can find user. What if identity provider not an email provider: like facebook ? How i will search user in database ?

Answer 1

In my opinion, OpenID and OAuth 2.0 are two different concepts.

1. OpenID as its name explained mainly focused in manage Identity. So it is more like a framework or protocol to manage User Identity.

2. OAuth 2.0 was designed to provide a protocol which can make internet based applications manage authorization with some third party Authorization Providers. I do suggest you go through the IEFT OAuth 2.0 Spec before get your hand dirty. You can as well find some good information in this article A simplified explanation of OAuth2.0

Seems you wish your own website can handle user authorization by itself, that means in OAuth 2.0 area your own website is an AuthorizationServer.

To you question:

1. The scope are provided by the Authorization Provider, please refer to their documentation.

2. OAuth only provide the framework for authorizing your Web APP to access the Resource Owner's protected information. For the google example, the end user who authorize your app to access his/her protected information are still a google user unless your Web APP automatically create a user account for him/her in your own user account database - I think this step is what you mean Registration. OAuth doesn't cover anything about registration because it is out of the scope of authorization.

3. In you scenario you still have your own account database and wish users can authenticate themselves with username and password. OAuth 2.0 really can handle this scenario if you implement your own AuthorizationServer and use the “Resource Owner Password Credentials” auth flow.

4. I am not python guy, but I can tell you before you evaluate these libs you must understand different roles defined in OAuth 2.0 spec. Some of the libs play Authorization Server role, some play Resource Server role.