OpenID vs OAuth

OpenID vs OAuth

Here is a single line that will enlighten your world ­čÖé

“OpenID is a protocol for authentication while OAuth is for authorization”


In OpenID, authentication is delegated:

Server A wants to authenticate user U, but U’s credentials (e.g. U’s name and password) are sent to another server, B, that A trusts (at least, trusts for authenticating users). Indeed, server B makes sure that U is indeed U, and then tells to A: “ok, that’s the genuine U”.


In OAuth, authorization is delegated:

Entity A obtains from entity B an “access right” which A can show to server S to be granted access; B can thus deliver temporary, specific access keys to A without giving them too much power.


How About OpenID Connect?

OpenID Connect is a way of abusing the fact that if an entity is given some sort of an authorization key, then that entity should have been a valid/real/authenticated entity. If entity A obtains from B an access key through OAuth, and shows it to server S, then server S may infer that B authenticated A before granting the access key. which results in so some people using OAuth where they should be using OpenID.


Hope this helps.
Good Luck,

original post