I am a bit confused about OpenID OAuth stuff.
(by OAuth - i mean OAuth 2.0 here and later)
My target is to create a site with OpenID (or OAuth) auth as well as with legacy
email + password auth. The site will be on django framework. (python)
I understand difference between OAuth and OpenID and diff between authorization and authentification.
My primary goal is to implement openid login with google as identity provider.
The login and register flow must be just like on many sites. As i see:
register scenario:
1) user enters openid url (clicks google button)
2) user gets redirected to auth provider ( google ) page says: "Awesome site" ask for your: email, language, country...
3) user says yes.. gets redirected back behind the scenes "Awesome site" retries email language and other user info using access token
4) User fill other stuff needed in profile.. and this is it.. hes now registered.
Login scenario:
1) user enters openid url (clicks google button)
1.a) if user already logged in on auth provider hmm... it is unclear to me.. but somehow user get logged in without displaying a provider page (maybe it is closes fast? )
1.b) if the user not logged on provider then provider displays login page and redirect back to awesome site on success.
Because i have to get some user data it is seem to me that i have to use: OAuth or Hybrid ( OpenID + OAuth extentions ) protocol.
The things that are not clear to me:
Google APIs use the OAuth 2.0 protocol for authentication and authorization. Google supports common OAuth 2.0 scenarios such as those for web server, client-side, installed, and limited-input device applications. To begin, obtain OAuth 2.0 client credentials from the Google API Console.
OAuth 2.0 allows users to share specific data with an application while keeping their usernames, passwords, and other information private. For example, an application can use OAuth 2.0 to obtain permission from users to store files in their Google Drives. This OAuth 2.0 flow is specifically for user authorization.
In my opinion, OpenID and OAuth 2.0 are two different concepts.
OpenID as its name explained mainly focused in manage Identity. So it is more like a framework or protocol to manage User Identity.
OAuth 2.0 was designed to provide a protocol which can make internet based applications manage authorization with some third party Authorization Providers. I do suggest you go through the IEFT OAuth 2.0 Spec before get your hand dirty. You can as well find some good information in this article A simplified explanation of OAuth2.0
Seems you wish your own website can handle user authorization by itself, that means in OAuth 2.0 area your own website is an AuthorizationServer.
To you question:
The scope are provided by the Authorization Provider, please refer to their documentation.
OAuth only provide the framework for authorizing your Web APP to access the Resource Owner's protected information. For the google example, the end user who authorize your app to access his/her protected information are still a google user unless your Web APP automatically create a user account for him/her in your own user account database - I think this step is what you mean Registration. OAuth doesn't cover anything about registration because it is out of the scope of authorization.
In you scenario you still have your own account database and wish users can authenticate themselves with username and password. OAuth 2.0 really can handle this scenario if you implement your own AuthorizationServer and use the “Resource Owner Password Credentials” auth flow.
I am not python guy, but I can tell you before you evaluate these libs you must understand different roles defined in OAuth 2.0 spec. Some of the libs play Authorization Server role, some play Resource Server role.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With