What's the difference between OpenID and OAuth?OpenID vs. OAuthWhat is the difference between a URI, a URL and a URN?What exactly is OAuth (Open Authorization)?What is the difference between OpenID and SAML?SAML vs federated login with OAuthOAuth Authorization vs AuthenticationOAuth/OpenID - which should I use?What is the difference between id_token and access_token in Auth0How to do cross-domain authentication securely?How to add OAuth facebook login in Ionic/Angular?Is OAuth and OpenID the right approach in this case?SSO with CAS or OAuth?OpenID vs. OAuthHow is OAuth 2 different from OAuth 1?The difference between using Janrain and OAuth?Why should I use OpenID for Authentication rather than OAuth?What's the difference between OpenID Provider and OpenID WebRing SSO Provider?Can you get a users email with just OpenID?What are the main differences between JWT and OAuth authentication?Differences between SAML/OpenSAML/Shibboleth and OAuth/OpenId

On the expression "sun-down"

How to understand "...to hide the evidence of mishandled magic, or else hidden by castle-proud house-elves" in this sentence

What is it exactly about flying a Flyboard across the English channel that made Zapata's thighs burn?

What is the reason behind water not falling from a bucket at the top of loop?

Why isn't the new LEGO CV joint available on Bricklink or Brickowl?

Are the "muddled thoughts" from Synaptic Static a magical effect?

Can a House-impeached but not Senate-convicted president run for a second term?

Reasons for using monsters as bioweapons

In a KP-K endgame, if the enemy king is in front of the pawn, is it always a draw?

Being told my "network" isn't PCI compliant. I don't even have a server! Do I have to comply?

Went to a big 4 but got fired for underperformance in a year recently - Now every one thinks I'm pro - How to balance expectations?

Feedback diagram

What does "autolyco-sentimental" mean?

Astable 555 circuit not oscillating

Why does Shift-right says it is bound to right?

What is the most 'environmentally friendly' way to learn to fly?

Why did the United States not resort to nuclear weapons in Vietnam?

Partial Fractions: Why does this shortcut method work?

Export economy of Mars

Subverting the essence of fictional and/or religious entities; is it acceptable?

Why are sugars in whole fruits not digested the same way sugars in juice are?

Confused over role of 「自分が」in this particular passage

Why does the friction act on the inward direction when a car makes a turn on a level road?

Meaning of ギャップ in the following sentence



What's the difference between OpenID and OAuth?


OpenID vs. OAuthWhat is the difference between a URI, a URL and a URN?What exactly is OAuth (Open Authorization)?What is the difference between OpenID and SAML?SAML vs federated login with OAuthOAuth Authorization vs AuthenticationOAuth/OpenID - which should I use?What is the difference between id_token and access_token in Auth0How to do cross-domain authentication securely?How to add OAuth facebook login in Ionic/Angular?Is OAuth and OpenID the right approach in this case?SSO with CAS or OAuth?OpenID vs. OAuthHow is OAuth 2 different from OAuth 1?The difference between using Janrain and OAuth?Why should I use OpenID for Authentication rather than OAuth?What's the difference between OpenID Provider and OpenID WebRing SSO Provider?Can you get a users email with just OpenID?What are the main differences between JWT and OAuth authentication?Differences between SAML/OpenSAML/Shibboleth and OAuth/OpenId






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








904















I'm really trying to understand the difference between OpenID and OAuth? Maybe they're two totally separate things?










share|improve this question





















  • 4





    This may be helpful to understand that OAuth is not an authentication framework - while OpenID and OpenID Connect are.. blog.api-security.org/2013/02/…

    – Prabath Siriwardena
    Oct 2 '14 at 3:11






  • 1





    OpenID Connect (2014) combines the features of OpenID 2.0, OpenID Attribute Exchange 1.0, and OAuth 2.0 in a single protocol. security.stackexchange.com/questions/44611/…

    – Michael Freidgeim
    Mar 31 '17 at 22:35






  • 1





    This is a great explanation of the purpose of each standard: stackoverflow.com/a/33704657/557406

    – Charles L.
    May 25 '18 at 19:32

















904















I'm really trying to understand the difference between OpenID and OAuth? Maybe they're two totally separate things?










share|improve this question





















  • 4





    This may be helpful to understand that OAuth is not an authentication framework - while OpenID and OpenID Connect are.. blog.api-security.org/2013/02/…

    – Prabath Siriwardena
    Oct 2 '14 at 3:11






  • 1





    OpenID Connect (2014) combines the features of OpenID 2.0, OpenID Attribute Exchange 1.0, and OAuth 2.0 in a single protocol. security.stackexchange.com/questions/44611/…

    – Michael Freidgeim
    Mar 31 '17 at 22:35






  • 1





    This is a great explanation of the purpose of each standard: stackoverflow.com/a/33704657/557406

    – Charles L.
    May 25 '18 at 19:32













904












904








904


359






I'm really trying to understand the difference between OpenID and OAuth? Maybe they're two totally separate things?










share|improve this question
















I'm really trying to understand the difference between OpenID and OAuth? Maybe they're two totally separate things?







authentication oauth openid






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited May 29 at 22:22









Chris Catignani

1,0302 gold badges14 silver badges24 bronze badges




1,0302 gold badges14 silver badges24 bronze badges










asked Jul 6 '09 at 13:40









MicahMicah

58.4k74 gold badges215 silver badges311 bronze badges




58.4k74 gold badges215 silver badges311 bronze badges










  • 4





    This may be helpful to understand that OAuth is not an authentication framework - while OpenID and OpenID Connect are.. blog.api-security.org/2013/02/…

    – Prabath Siriwardena
    Oct 2 '14 at 3:11






  • 1





    OpenID Connect (2014) combines the features of OpenID 2.0, OpenID Attribute Exchange 1.0, and OAuth 2.0 in a single protocol. security.stackexchange.com/questions/44611/…

    – Michael Freidgeim
    Mar 31 '17 at 22:35






  • 1





    This is a great explanation of the purpose of each standard: stackoverflow.com/a/33704657/557406

    – Charles L.
    May 25 '18 at 19:32












  • 4





    This may be helpful to understand that OAuth is not an authentication framework - while OpenID and OpenID Connect are.. blog.api-security.org/2013/02/…

    – Prabath Siriwardena
    Oct 2 '14 at 3:11






  • 1





    OpenID Connect (2014) combines the features of OpenID 2.0, OpenID Attribute Exchange 1.0, and OAuth 2.0 in a single protocol. security.stackexchange.com/questions/44611/…

    – Michael Freidgeim
    Mar 31 '17 at 22:35






  • 1





    This is a great explanation of the purpose of each standard: stackoverflow.com/a/33704657/557406

    – Charles L.
    May 25 '18 at 19:32







4




4





This may be helpful to understand that OAuth is not an authentication framework - while OpenID and OpenID Connect are.. blog.api-security.org/2013/02/…

– Prabath Siriwardena
Oct 2 '14 at 3:11





This may be helpful to understand that OAuth is not an authentication framework - while OpenID and OpenID Connect are.. blog.api-security.org/2013/02/…

– Prabath Siriwardena
Oct 2 '14 at 3:11




1




1





OpenID Connect (2014) combines the features of OpenID 2.0, OpenID Attribute Exchange 1.0, and OAuth 2.0 in a single protocol. security.stackexchange.com/questions/44611/…

– Michael Freidgeim
Mar 31 '17 at 22:35





OpenID Connect (2014) combines the features of OpenID 2.0, OpenID Attribute Exchange 1.0, and OAuth 2.0 in a single protocol. security.stackexchange.com/questions/44611/…

– Michael Freidgeim
Mar 31 '17 at 22:35




1




1





This is a great explanation of the purpose of each standard: stackoverflow.com/a/33704657/557406

– Charles L.
May 25 '18 at 19:32





This is a great explanation of the purpose of each standard: stackoverflow.com/a/33704657/557406

– Charles L.
May 25 '18 at 19:32












18 Answers
18






active

oldest

votes


















775














OpenID is about authentication (ie. proving who you are), OAuth is about authorisation (ie. to grant access to functionality/data/etc.. without having to deal with the original authentication).



OAuth could be used in external partner sites to allow access to protected data without them having to re-authenticate a user.



The blog post "OpenID versus OAuth from the user’s perspective" has a simple comparison of the two from the user's perspective and "OAuth-OpenID: You’re Barking Up the Wrong Tree if you Think They’re the Same Thing" has more information about it.






share|improve this answer






















  • 6





    Just comprised all the information got. Hope this OpenID & OAuth Comparison is useful.

    – raksja
    May 21 '12 at 20:19







  • 185





    This is not really true any more. OAuth2 can be used for authentication and authorisation. Google APIs use OAuth 2.0 for authentication and authorization. You can also choose to use Google's authentication system as a way to outsource user authentication for your application. The only downside I can see over OpenID is that you have to implement it on a per-site basis. On the plus side though, it integrates with Android properly.

    – Timmmm
    Jul 23 '12 at 23:17







  • 24





    "OpenID Connect" ensures even more confusion as it is actually an OAuth v2 with a minor extension.

    – Vilmantas Baranauskas
    Sep 16 '13 at 13:40






  • 5





    Single sign on (SSO)

    – Richard
    Mar 18 '16 at 7:09






  • 3





    @Timmmm, "OAuth 2.0 is not an authentication protocol" as they mention here. There's another helpful video here

    – RayLoveless
    Nov 15 '16 at 20:54



















345














There are three ways to compare OAuth and OpenID:



1. Purposes



OpenID was created for federated authentication, that is, letting a third-party authenticate your users for you, by using accounts they already have. The term federated is critical here because the whole point of OpenID is that any provider can be used (with the exception of white-lists). You don't need to pre-choose or negotiate a deal with the providers to allow users to use any other account they have.



OAuth was created to remove the need for users to share their passwords with third-party applications. It actually started as a way to solve an OpenID problem: if you support OpenID on your site, you can't use HTTP Basic credentials (username and password) to provide an API because the users don't have a password on your site.



The problem is with this separation of OpenID for authentication and OAuth for authorization is that both protocols can accomplish many of the same things. They each provide a different set of features which are desired by different implementations but essentially, they are pretty interchangeable. At their core, both protocols are an assertion verification method (OpenID is limited to the 'this is who I am' assertion, while OAuth provides an 'access token' that can be exchanged for any supported assertion via an API).



2. Features



Both protocols provide a way for a site to redirect a user somewhere else and come back with a verifiable assertion. OpenID provides an identity assertion while OAuth is more generic in the form of an access token which can then be used to "ask the OAuth provider questions". However, they each support different features:



OpenID - the most important feature of OpenID is its discovery process. OpenID does not require hard coding each the providers you want to use ahead of time. Using discovery, the user can choose any third-party provider they want to authenticate. This discovery feature has also caused most of OpenID's problems because the way it is implemented is by using HTTP URIs as identifiers which most web users just don't get. Other features OpenID has is its support for ad-hoc client registration using a DH exchange, immediate mode for optimized end-user experience, and a way to verify assertions without making another round-trip to the provider.



OAuth - the most important feature of OAuth is the access token which provides a long lasting method of making additional requests. Unlike OpenID, OAuth does not end with authentication but provides an access token to gain access to additional resources provided by the same third-party service. However, since OAuth does not support discovery, it requires pre-selecting and hard-coding the providers you decide to use. A user visiting your site cannot use any identifier, only those pre-selected by you. Also, OAuth does not have a concept of identity so using it for login means either adding a custom parameter (as done by Twitter) or making another API call to get the currently "logged in" user.



3. Technical Implementations



The two protocols share a common architecture in using redirection to obtain user authorization. In OAuth the user authorizes access to their protected resources and in OpenID, to their identity. But that's all they share.



Each protocol has a different way of calculating a signature used to verify the authenticity of the request or response, and each has different registration requirements.






share|improve this answer






















  • 6





    Thank you, I was having a lot of trouble with the words 'Federated' and 'discovery' in this context and the answer perfectly clears it up.

    – Aditya M P
    Oct 22 '12 at 3:12






  • 3





    A good answer, but I'm slightly confused with "The exception of white-lists". Do you white list exclusions?

    – Crypth
    Jul 9 '13 at 11:53






  • 3





    OAuth does not end with authentication but provides an access token to gain access to additional resources provided by the same third-party service. Not exactly. From rfc6749: The authorization server may be the same server as the resource server or a separate entity. A single authorization server may issue access tokens accepted by multiple resource servers.

    – Eugene Yarmash
    Sep 2 '14 at 10:15



















104














OpenID is (mainly) for identification/authentication, so that stackoverflow.com knows that I own chris.boyle.name (or wherever) and therefore that I am probably the same person who owned chris.boyle.name yesterday and earned some reputation points.



OAuth is designed for authorization to take actions on your behalf, so that stackoverflow.com (or wherever) can ask permission to, say, Tweet on your behalf automatically, without knowing your Twitter password.






share|improve this answer






















  • 22





    But if you have authorized twitter to take actions on your behalf, that implies you are the person who you say you are - so it combines both?

    – David d C e Freitas
    Jan 12 '12 at 11:42






  • 3





    David, you are correct. Google does it this way.

    – Timmmm
    Jul 23 '12 at 23:18







  • 2





    It sounds like with oauth, the 3rd party site would get a token which it could use to perform actions on the oauth provider's site (say, tweet on your behalf), but getting the user's identity (username) isn't built in to the protocol so providers have to add that as a custom resource.

    – onlynone
    Sep 5 '14 at 18:15











  • Is'nt that the case that Stack Overflow or other websites that belong to stackoverflow like serverfault use OAuth for new user signup using google or facebook and OpenID for signup using other website of their domain like serverfault or askubuntu. In OAuth we can restrict what information is flowing from identity provider (facebook) to service provider(stackoverflow). In OpenID we simply give a certificate symbolizing the person as legal and give access to whole database. Since stackoverflow or askubuntu belong to same domain they can exchange certificates with full access to user databases.

    – Revanth Kumar
    May 5 '15 at 23:09






  • 1





    @jlo-gmail OAuth 2.0 includes Refresh Tokens for this purpose: you occasionally use the Refresh Token to get a new Access Token. More info: tools.ietf.org/html/rfc6749#section-1.5

    – Chris Boyle
    Jan 12 '17 at 10:49


















84














Many people still visit this so here's a very simple diagram to explain it



OpenID_vs._pseudo-authentication_using_OAuth



Courtesy Wikipedia






share|improve this answer






















  • 12





    Shouldn't there be one more step in the OAuth example where the android app uses the valet key to communicate with google to find the users identity?

    – onlynone
    Sep 5 '14 at 18:18











  • I think the missing step should be more generic. I.e. it's not so much about identity as it is about data that can be provided via API. I.e. your Google photos or your G-Mail emails that android app could use for whatever purposes. Of course, identity could be accessible via API.

    – satellite779
    Sep 22 '14 at 23:13






  • 2





    For OAuth, should it be "Give me the valet key to your house so I can access / modify (as permitted) your house"?

    – hendryanw
    Apr 20 '16 at 7:35


















40














OAuth



Used for delegated authorization only -- meaning you are authorizing a third-party service access to use personal data, without giving out a password. Also OAuth "sessions" generally live longer than user sessions. Meaning that OAuth is designed to allow authorization



i.e. Flickr uses OAuth to allow third-party services to post and edit a persons picture on their behalf, without them having to give out their flicker username and password.



OpenID



Used to authenticate single sign-on identity. All OpenID is supposed to do is allow an OpenID provider to prove that you say you are. However many sites use identity authentication to provide authorization (however the two can be separated out)



i.e. One shows their passport at the airport to authenticate (or prove) the person's who's name is on the ticket they are using is them.






share|improve this answer




















  • 7





    You could surely use OAuth for authenticating single sign-on as well?

    – Timmmm
    Jul 23 '12 at 23:10


















31














Use OAuth if your users might just want to login with Facebook, or Twitter. Use OpenID if your users are neckbeards that run their own OpenID providers because they "don't want anyone else owning their identity".






share|improve this answer

























  • I really like this explanation. Though I'm more than happy to let Google handle my credentials with their OTP implementation that sits on top of the login.

    – Natalie Adams
    Apr 28 '13 at 21:24


















18














OpenID and OAuth are each HTTP-based protocols for authentication and/or authorization. Both are intended to allow users to perform actions without giving authentication credentials or blanket permissions to clients or third parties. While they are similar, and there are proposed standards to use them both together, they are separate protocols.



OpenID is intended for federated authentication. A client accepts an identity assertion from any provider (although clients are free to whitelist or blacklist providers).



OAuth is intended for delegated authorization. A client registers with a provider, which provides authorization tokens which it will accept to perform actions on the user's behalf.



OAuth is currently better suited for authorization, because further interactions after authentication are built into the protocol, but both protocols are evolving. OpenID and its extensions could be used for authorization, and OAuth can be used for authentication, which can be thought of as a no-op authorization.






share|improve this answer


































    14














    I believe it makes sense revisit this question as also pointed out in the comments, the introduction of OpenID Connect may have brought more confusion.



    OpenID Connect is an authentication protocol like OpenID 1.0/2.0 but it is actually built on top of OAuth 2.0, so you'll get authorization features along with authentication features. The difference between the two is pretty well explained in detail in this (relatively recent, but important) article: http://oauth.net/articles/authentication/






    share|improve this answer
































      13














      The explanation of the difference between OpenID, OAuth, OpenID Connect:




      OpenID is a protocol for authentication while OAuth is for
      authorization. Authentication is about making sure that the guy you
      are talking to is indeed who he claims to be. Authorization is about
      deciding what that guy should be allowed to do.



      In OpenID, authentication is delegated: server A wants to authenticate
      user U, but U's credentials (e.g. U's name and password) are sent to
      another server, B, that A trusts (at least, trusts for authenticating
      users). Indeed, server B makes sure that U is indeed U, and then tells
      to A: "ok, that's the genuine U".



      In OAuth, authorization is delegated: entity A obtains from entity B
      an "access right" which A can show to server S to be granted access; B
      can thus deliver temporary, specific access keys to A without giving
      them too much power. You can imagine an OAuth server as the key master
      in a big hotel; he gives to employees keys which open the doors of the
      rooms that they are supposed to enter, but each key is limited (it
      does not give access to all rooms); furthermore, the keys
      self-destruct after a few hours.



      To some extent, authorization can be abused into some
      pseudo-authentication, on the basis that if entity A obtains from B an
      access key through OAuth, and shows it to server S, then server S may
      infer that B authenticated A before granting the access key. So some
      people use OAuth where they should be using OpenID. This schema may or
      may not be enlightening; but I think this pseudo-authentication is
      more confusing than anything. OpenID Connect does just that: it abuses
      OAuth into an authentication protocol. In the hotel analogy: if I
      encounter a purported employee and that person shows me that he has a
      key which opens my room, then I suppose that this is a true employee,
      on the basis that the key master would not have given him a key which
      opens my room if he was not.




      (source)




      How is OpenID Connect different than OpenID 2.0?



      OpenID Connect performs many of the same tasks as OpenID 2.0, but does
      so in a way that is API-friendly, and usable by native and mobile
      applications. OpenID Connect defines optional mechanisms for robust
      signing and encryption. Whereas integration of OAuth 1.0a and OpenID
      2.0 required an extension, in OpenID Connect, OAuth 2.0 capabilities are integrated with the protocol itself.




      (source)




      OpenID connect will give you an access token plus an id token. The id
      token is a JWT and contains information about the authenticated user.
      It is signed by the identity provider and can be read and verified
      without accessing the identity provider.



      In addition, OpenID connect standardizes quite a couple things that
      oauth2 leaves up to choice. for instance scopes, endpoint discovery,
      and dynamic registration of clients.



      This makes it easier to write code that lets the user choose between
      multiple identity providers.




      (source)



      Google's OAuth 2.0




      Google's OAuth 2.0 APIs can be used for both authentication and
      authorization. This document describes our OAuth 2.0 implementation
      for authentication, which conforms to the OpenID Connect
      specification, and is OpenID Certified. The documentation found in
      Using OAuth 2.0 to Access Google APIs also applies to this service. If
      you want to explore this protocol interactively, we recommend the
      Google OAuth 2.0 Playground.




      (source)






      share|improve this answer






















      • 2





        Nice Explanation. +1 for that.

        – Ataur Rahman Munna
        Aug 27 '17 at 6:57



















      11














      More an extension to the question than an answer, but it may add some perspective to the great technical answers above. I'm an experienced programmer in a number of areas, but a total noob to programming for the web. Now trying to build a web-based application using Zend Framework.



      Definitely will implement an application-specific basic username/password authentication interface, but recognize that for a growing number of users the thought of yet another username and password is a deterrent. While not exactly social networking, I know that a very large percentage of the application's potential users already have facebook or twitter accounts. The application doesn't really want or need to access information about the user's account from those sites, it just wants to offer the convenience of not requiring the user to set up new account credentials if they don't want to. From a functionality point of view, that would seem a poster child for OpenID. But it seems that neither facebook nor twitter are OpenID providers as such, though they do support OAuth authentication to access their user's data.



      In all the articles I've read about the two and how they differ, it wan't until I saw Karl Anderson's observation above, that "OAuth can be used for authentication, which can be thought of as a no-op authorization" that I saw any explicit confirmation that OAuth was good enough for what I wanted to do.



      In fact, when I went to post this "answer", not being a member at the time, I looked long and hard at the bottom of this page at the options for identifying myself. The option for using an OpenID login or obtaining one if I didn't have one, but nothing about twitter or facebook, seemed to suggest that OAuth wasn't adequate for the job. But then I opened another window and looked for the general signup process for stackoverflow - and lo and behold there's a slew of 3rd-party authentication options including facebook and twitter. In the end I decided to use my google id (which is an OpenID) for exactly the reason that I didn't want to grant stackoverflow access to my friends list and anything else facebook likes to share about its users - but at least it's a proof point that OAuth is adequate for the use I had in mind.



      It would really be great if someone could either post info or pointers to info about supporting this kind of multiple 3rd-part authorization setup, and how you deal with users that revoke authorization or lose access to their 3rd party site. I also get the impression that my username here identifies a unique stackoverflow account that I could access with basic authentication if I wanted to set it up, and also access this same account through other 3rd-party authenticators (e.g. so that I would be considered logged in to stackoverflow if I was logged in to any of google, facebook, or twitter...). Since this site is doing it, somebody here probably has some pretty good insight on the subject. :-)



      Sorry this was so long, and more a question than an answer - but Karl's remark made it seem like the most appropriate place to post amidst the volume of threads on OAuth and OpenID. If there's a better place for this that I didn't find, I apologize in advance, I did try.






      share|improve this answer


































        9















        • OpenID is an open standard and decentralized authentication protocol controlled by the OpenID Foundation.


        • OAuth is an open standard for access delegation.


        • OpenID Connect (OIDC) Combines the features of OpenID and OAuth i.e. does both Authentication and Authorization.

        OpenID take the form of a unique URI managed by some "OpenID provider" i.e identity provider (idP).



        OAuth can be used in conjunction with XACML where OAuth is used for ownership consent and access delegation whereas XACML is used to define the authorization policies.



        OIDC uses simple JSON Web Tokens (JWT), which you can obtain using flows conforming to the OAuth 2.0 specifications. OAuth is directly related to OIDC since OIDC is an authentication layer built on top of OAuth 2.0.



        enter image description here



        For example, if you chose to sign in to Auth0 using your Google account then you used OIDC. Once you successfully authenticate with Google and authorize Auth0 to access your information, Google will send back to Auth0 information about the user and the authentication performed. This information is returned in a JSON Web Token (JWT). You'll receive an Access Token and, if requested, an ID Token. Types of Token : Source: OpenID Connect



        Analogy:

        An Organisation use ID card for identification purpose and it contains chips, it stores details about Employee along with Authorization i.e. Campus/Gate/ODC access. ID Card act as a OIDC and Chip act as a OAuth. more examples and form wiki






        share|improve this answer


































          3














          OpenID proves who you are.



          OAuth grants access to the features provided by the authorizing party.






          share|improve this answer






















          • 1





            OAuth: before granting access to some feature, authentication must be done, right ?. so OAuth = what OpenId does + grants access to some features ?

            – Hassan Tareq
            Jun 21 '17 at 1:57


















          1














          I am currently working on OAuth 2.0 and OpenID connect spec. So here is my understanding:
          Earlier they were:



          1. OpenID was proprietary implementation of Google allowing third party applications like for newspaper websites you can login using google and comment on an article and so on other usecases. So essentially, no password sharing to newspaper website. Let me put up a definition here, this approach in enterprise approach is called Federation. In Federation, You have a server where you authenticate and authorize (called IDP, Identity Provider) and generally the keeper of User credentials. the client application where you have business is called SP or Service Provider. If we go back to same newspaper website example then newspaper website is SP here and Google is IDP. In enterprise this problem was earlier solved using SAML. that time XML used to rule the software industry. So from webservices to configuration, everything used to go to XML so we have SAML, a complete Federation protocol


          2. OAuth: OAuth saw it's emergence as an standard looking at all these kind of proprietary approaches and so we had OAuth 1.o as standard but addressing only authorization. Not many people noticed but it kind of started picking up. Then we had OAuth 2.0 in 2012. CTOs, Architects really started paying attention as world is moving towards Cloud computing and with computing devices moving towards mobile and other such devices. OAuth kind of looked upon as solving major problem where software customers might give IDP Service to one company and have many services from different vendors like salesforce, SAP, etc. So integration here really looks like federation scenario bit one big problem, using SAML is costly so let's explore OAuth 2.o. Ohh, missed one important point that during this time, Google sensed that OAuth actually doesn't address Authentication, how will IDP give user data to SP (which is actually wonderfully addressed in SAML) and with other loose ends like:



            a. OAuth 2.o doesn't clearly say, how client registration will happen
            b. it doesn't mention anything about the interaction between SP (Resource Server) and client application (like Analytics Server providing data is Resource Server and application displaying that data is Client)



          There are already wonderful answers given here technically, I thought of giving of giving brief evolution perspective






          share|improve this answer


































            0














            OpenId uses OAuth to deal with authentication.



            By analogy, it's like .NET relies on Windows API. You could directly call Windows API but it's so wide, complex and method arguments so vast, you could easily make mistakes/bugs/security issue.



            Same with OpenId/OAuth. OpenId relies on OAuth to manage Authentication but defining a specific Token (Id_token), digital signature and particular flows.






            share|improve this answer
































              0














              I'd like to address a particular aspect of this question, as captured in this comment:




              OAuth: before granting access to some feature, authentication must be done, right ?. so OAuth = what OpenId does + grants access to some features ? – Hassan Makarov Jun 21 at 1:57




              Yes... and no. The answer is subtle, so bear with me.



              When the OAuth flow redirects you to a target service (the OAuth provider, that is), it is likely that you'll need to authenticate with that service before a token will be handed back to the client application/service. The resulting token then allows the client app to make requests on behalf of a given user.



              Note the generality of that last sentence: specifically, I wrote "on behalf of a given user", not "on behalf of you". It's a common error to assume that "having a capability to interact with a resource owned by a given user" implies "you and the owner of the target resource(s) are one in the same".



              Don't make this mistake.



              While it's true that you authenticate with the OAuth provider (say, by user name and password, or maybe SSL client certs, or some other means), what the client gets in return should not necessarily be taken as proof of identity. An example would be a flow in which access to another user's resources was delegated to you (and by proxy, the OAuth client). Authorization does not imply authentication.



              To handle authentication, you'll likely want to look into OpenID Connect, which is essentially another layer on top of the foundation set by OAuth 2.0. Here's a quote that captures (in my opinion) the most salient points regarding OpenID Connect (from https://oauth.net/articles/authentication/):




              OpenID Connect is an open standard published in early 2014 that defines an interoperable way to use OAuth 2.0 to perform user authentication. In essence, it is a widely published recipe for chocolate fudge that has been tried and tested by a wide number and variety of experts. Instead of building a different protocol to each potential identity provider, an application can speak one protocol to as many providers as they want to work with. Since it's an open standard, OpenID Connect can be implemented by anyone without restriction or intellectual property concerns.



              OpenID Connect is built directly on OAuth 2.0 and in most cases is deployed right along with (or on top of) an OAuth infrastructure. OpenID Connect also uses the JSON Object Signing And Encryption (JOSE) suite of specifications for carrying signed and encrypted information around in different places. In fact, an OAuth 2.0 deployment with JOSE capabilities is already a long way to defining a fully compliant OpenID Connect system, and the delta between the two is relatively small. But that delta makes a big difference, and OpenID Connect manages to avoid many of the pitfalls discussed above by adding several key components to the OAuth base: [...]




              The document then goes on to describe (among other things) token IDs and a UserInfo endpoint. The former provides a set of claims (who you are, when the token was issued, etc, and possibly a signature to verify the authenticity of the token via a published public key without having to ask the upstream service), and the latter provides a means of e.g. asking for the user's first/last name, email, and similar bits of info, all in a standardized way (as opposed to the ad-hoc extensions to OAuth that people used before OpenID Connect standardized things).






              share|improve this answer
































                0














                Both protocols were created for different reasons. OAuth was created to authorize third parties to access resources. OpenID was created to perform decentralize identity validation. This website states the following:



                OAuth is a protocol designed to verify the identity of an end-user and to grant permissions to a third party. This verification results in a token. The third party can use this token to access resources on the user’s behalf. Tokens have a scope. The scope is used to verify whether a resource is accessible to a user, or not



                OpenID is a protocol used for decentralised authentication. Authentication is about identity; Establishing the user is in fact the person who he claims to be. Decentralising that, means this service is unaware of the existence of any resources or applications that need to be protected. That’s the key difference between OAuth and OpenID.






                share|improve this answer
































                  0














                  OAuth 2.0 is a Security protocol. It is NEITHER an Authentication NOR an Authorization protocol.



                  Authentication by definition the answers two questions.



                  1. Who is the user?

                  2. Is the user currently present on the system?

                  OAuth 2.0 has the following grant types



                  • client_credentials: When one app needs to interact with another app and modify the data of multiple users.

                  • authorization_code: User delegates the Authorization server to issue an access_token that the client can use to access protected resource

                  • refresh_token: When the access_token expires, the refresh token can be leveraged to get a fresh access_token

                  • password: User provides their login credentials to a client that calls the Authorization server and receives an access_token

                  All 4 have one thing in common, access_token, an artifact that can be used to access protected resource.



                  The access_token does not provide the answer to the 2 questions that an "Authentication" protocol must answer.



                  An example to explain Oauth 2.0 (credits: OAuth 2 in Action, Manning publications)



                  Let's talk about chocolate. We can make many confections out of chocolate including, fudge, ice cream, and cake. But, none of these can be equated to chocolate because multiple other ingredients such as cream and bread are needed to make the confection, even though chocolate sounds like the main ingredient. Similarly, OAuth 2.0 is the chocolate, and cookies, TLS infrastucture, Identity Providers are other ingredients that are required to provide the "Authentication" functionality.



                  If you want Authentication, you may go for OpenID Connect, which provides an "id_token", apart from an access_token, that answers the questions that every authentication protocol must answer.






                  share|improve this answer
































                    -5














                    OAuth builds authentication on top of authorization: The user delegates access to their identity to the application, which, then, becomes a consumer of the identity API, thereby finding out who authorized the client in the first place http://oauth.net/articles/authentication/






                    share|improve this answer



























                      Your Answer






                      StackExchange.ifUsing("editor", function ()
                      StackExchange.using("externalEditor", function ()
                      StackExchange.using("snippets", function ()
                      StackExchange.snippets.init();
                      );
                      );
                      , "code-snippets");

                      StackExchange.ready(function()
                      var channelOptions =
                      tags: "".split(" "),
                      id: "1"
                      ;
                      initTagRenderer("".split(" "), "".split(" "), channelOptions);

                      StackExchange.using("externalEditor", function()
                      // Have to fire editor after snippets, if snippets enabled
                      if (StackExchange.settings.snippets.snippetsEnabled)
                      StackExchange.using("snippets", function()
                      createEditor();
                      );

                      else
                      createEditor();

                      );

                      function createEditor()
                      StackExchange.prepareEditor(
                      heartbeatType: 'answer',
                      autoActivateHeartbeat: false,
                      convertImagesToLinks: true,
                      noModals: true,
                      showLowRepImageUploadWarning: true,
                      reputationToPostImages: 10,
                      bindNavPrevention: true,
                      postfix: "",
                      imageUploader:
                      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
                      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
                      allowUrls: true
                      ,
                      onDemand: true,
                      discardSelector: ".discard-answer"
                      ,immediatelyShowMarkdownHelp:true
                      );



                      );













                      draft saved

                      draft discarded


















                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f1087031%2fwhats-the-difference-between-openid-and-oauth%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown

























                      18 Answers
                      18






                      active

                      oldest

                      votes








                      18 Answers
                      18






                      active

                      oldest

                      votes









                      active

                      oldest

                      votes






                      active

                      oldest

                      votes









                      775














                      OpenID is about authentication (ie. proving who you are), OAuth is about authorisation (ie. to grant access to functionality/data/etc.. without having to deal with the original authentication).



                      OAuth could be used in external partner sites to allow access to protected data without them having to re-authenticate a user.



                      The blog post "OpenID versus OAuth from the user’s perspective" has a simple comparison of the two from the user's perspective and "OAuth-OpenID: You’re Barking Up the Wrong Tree if you Think They’re the Same Thing" has more information about it.






                      share|improve this answer






















                      • 6





                        Just comprised all the information got. Hope this OpenID & OAuth Comparison is useful.

                        – raksja
                        May 21 '12 at 20:19







                      • 185





                        This is not really true any more. OAuth2 can be used for authentication and authorisation. Google APIs use OAuth 2.0 for authentication and authorization. You can also choose to use Google's authentication system as a way to outsource user authentication for your application. The only downside I can see over OpenID is that you have to implement it on a per-site basis. On the plus side though, it integrates with Android properly.

                        – Timmmm
                        Jul 23 '12 at 23:17







                      • 24





                        "OpenID Connect" ensures even more confusion as it is actually an OAuth v2 with a minor extension.

                        – Vilmantas Baranauskas
                        Sep 16 '13 at 13:40






                      • 5





                        Single sign on (SSO)

                        – Richard
                        Mar 18 '16 at 7:09






                      • 3





                        @Timmmm, "OAuth 2.0 is not an authentication protocol" as they mention here. There's another helpful video here

                        – RayLoveless
                        Nov 15 '16 at 20:54
















                      775














                      OpenID is about authentication (ie. proving who you are), OAuth is about authorisation (ie. to grant access to functionality/data/etc.. without having to deal with the original authentication).



                      OAuth could be used in external partner sites to allow access to protected data without them having to re-authenticate a user.



                      The blog post "OpenID versus OAuth from the user’s perspective" has a simple comparison of the two from the user's perspective and "OAuth-OpenID: You’re Barking Up the Wrong Tree if you Think They’re the Same Thing" has more information about it.






                      share|improve this answer






















                      • 6





                        Just comprised all the information got. Hope this OpenID & OAuth Comparison is useful.

                        – raksja
                        May 21 '12 at 20:19







                      • 185





                        This is not really true any more. OAuth2 can be used for authentication and authorisation. Google APIs use OAuth 2.0 for authentication and authorization. You can also choose to use Google's authentication system as a way to outsource user authentication for your application. The only downside I can see over OpenID is that you have to implement it on a per-site basis. On the plus side though, it integrates with Android properly.

                        – Timmmm
                        Jul 23 '12 at 23:17







                      • 24





                        "OpenID Connect" ensures even more confusion as it is actually an OAuth v2 with a minor extension.

                        – Vilmantas Baranauskas
                        Sep 16 '13 at 13:40






                      • 5





                        Single sign on (SSO)

                        – Richard
                        Mar 18 '16 at 7:09






                      • 3





                        @Timmmm, "OAuth 2.0 is not an authentication protocol" as they mention here. There's another helpful video here

                        – RayLoveless
                        Nov 15 '16 at 20:54














                      775












                      775








                      775







                      OpenID is about authentication (ie. proving who you are), OAuth is about authorisation (ie. to grant access to functionality/data/etc.. without having to deal with the original authentication).



                      OAuth could be used in external partner sites to allow access to protected data without them having to re-authenticate a user.



                      The blog post "OpenID versus OAuth from the user’s perspective" has a simple comparison of the two from the user's perspective and "OAuth-OpenID: You’re Barking Up the Wrong Tree if you Think They’re the Same Thing" has more information about it.






                      share|improve this answer















                      OpenID is about authentication (ie. proving who you are), OAuth is about authorisation (ie. to grant access to functionality/data/etc.. without having to deal with the original authentication).



                      OAuth could be used in external partner sites to allow access to protected data without them having to re-authenticate a user.



                      The blog post "OpenID versus OAuth from the user’s perspective" has a simple comparison of the two from the user's perspective and "OAuth-OpenID: You’re Barking Up the Wrong Tree if you Think They’re the Same Thing" has more information about it.







                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited Jul 6 '09 at 14:08









                      pupeno

                      110k102 gold badges281 silver badges458 bronze badges




                      110k102 gold badges281 silver badges458 bronze badges










                      answered Jul 6 '09 at 13:47









                      adrianbanksadrianbanks

                      68.5k18 gold badges150 silver badges188 bronze badges




                      68.5k18 gold badges150 silver badges188 bronze badges










                      • 6





                        Just comprised all the information got. Hope this OpenID & OAuth Comparison is useful.

                        – raksja
                        May 21 '12 at 20:19







                      • 185





                        This is not really true any more. OAuth2 can be used for authentication and authorisation. Google APIs use OAuth 2.0 for authentication and authorization. You can also choose to use Google's authentication system as a way to outsource user authentication for your application. The only downside I can see over OpenID is that you have to implement it on a per-site basis. On the plus side though, it integrates with Android properly.

                        – Timmmm
                        Jul 23 '12 at 23:17







                      • 24





                        "OpenID Connect" ensures even more confusion as it is actually an OAuth v2 with a minor extension.

                        – Vilmantas Baranauskas
                        Sep 16 '13 at 13:40






                      • 5





                        Single sign on (SSO)

                        – Richard
                        Mar 18 '16 at 7:09






                      • 3





                        @Timmmm, "OAuth 2.0 is not an authentication protocol" as they mention here. There's another helpful video here

                        – RayLoveless
                        Nov 15 '16 at 20:54













                      • 6





                        Just comprised all the information got. Hope this OpenID & OAuth Comparison is useful.

                        – raksja
                        May 21 '12 at 20:19







                      • 185





                        This is not really true any more. OAuth2 can be used for authentication and authorisation. Google APIs use OAuth 2.0 for authentication and authorization. You can also choose to use Google's authentication system as a way to outsource user authentication for your application. The only downside I can see over OpenID is that you have to implement it on a per-site basis. On the plus side though, it integrates with Android properly.

                        – Timmmm
                        Jul 23 '12 at 23:17







                      • 24





                        "OpenID Connect" ensures even more confusion as it is actually an OAuth v2 with a minor extension.

                        – Vilmantas Baranauskas
                        Sep 16 '13 at 13:40






                      • 5





                        Single sign on (SSO)

                        – Richard
                        Mar 18 '16 at 7:09






                      • 3





                        @Timmmm, "OAuth 2.0 is not an authentication protocol" as they mention here. There's another helpful video here

                        – RayLoveless
                        Nov 15 '16 at 20:54








                      6




                      6





                      Just comprised all the information got. Hope this OpenID & OAuth Comparison is useful.

                      – raksja
                      May 21 '12 at 20:19






                      Just comprised all the information got. Hope this OpenID & OAuth Comparison is useful.

                      – raksja
                      May 21 '12 at 20:19





                      185




                      185





                      This is not really true any more. OAuth2 can be used for authentication and authorisation. Google APIs use OAuth 2.0 for authentication and authorization. You can also choose to use Google's authentication system as a way to outsource user authentication for your application. The only downside I can see over OpenID is that you have to implement it on a per-site basis. On the plus side though, it integrates with Android properly.

                      – Timmmm
                      Jul 23 '12 at 23:17






                      This is not really true any more. OAuth2 can be used for authentication and authorisation. Google APIs use OAuth 2.0 for authentication and authorization. You can also choose to use Google's authentication system as a way to outsource user authentication for your application. The only downside I can see over OpenID is that you have to implement it on a per-site basis. On the plus side though, it integrates with Android properly.

                      – Timmmm
                      Jul 23 '12 at 23:17





                      24




                      24





                      "OpenID Connect" ensures even more confusion as it is actually an OAuth v2 with a minor extension.

                      – Vilmantas Baranauskas
                      Sep 16 '13 at 13:40





                      "OpenID Connect" ensures even more confusion as it is actually an OAuth v2 with a minor extension.

                      – Vilmantas Baranauskas
                      Sep 16 '13 at 13:40




                      5




                      5





                      Single sign on (SSO)

                      – Richard
                      Mar 18 '16 at 7:09





                      Single sign on (SSO)

                      – Richard
                      Mar 18 '16 at 7:09




                      3




                      3





                      @Timmmm, "OAuth 2.0 is not an authentication protocol" as they mention here. There's another helpful video here

                      – RayLoveless
                      Nov 15 '16 at 20:54






                      @Timmmm, "OAuth 2.0 is not an authentication protocol" as they mention here. There's another helpful video here

                      – RayLoveless
                      Nov 15 '16 at 20:54














                      345














                      There are three ways to compare OAuth and OpenID:



                      1. Purposes



                      OpenID was created for federated authentication, that is, letting a third-party authenticate your users for you, by using accounts they already have. The term federated is critical here because the whole point of OpenID is that any provider can be used (with the exception of white-lists). You don't need to pre-choose or negotiate a deal with the providers to allow users to use any other account they have.



                      OAuth was created to remove the need for users to share their passwords with third-party applications. It actually started as a way to solve an OpenID problem: if you support OpenID on your site, you can't use HTTP Basic credentials (username and password) to provide an API because the users don't have a password on your site.



                      The problem is with this separation of OpenID for authentication and OAuth for authorization is that both protocols can accomplish many of the same things. They each provide a different set of features which are desired by different implementations but essentially, they are pretty interchangeable. At their core, both protocols are an assertion verification method (OpenID is limited to the 'this is who I am' assertion, while OAuth provides an 'access token' that can be exchanged for any supported assertion via an API).



                      2. Features



                      Both protocols provide a way for a site to redirect a user somewhere else and come back with a verifiable assertion. OpenID provides an identity assertion while OAuth is more generic in the form of an access token which can then be used to "ask the OAuth provider questions". However, they each support different features:



                      OpenID - the most important feature of OpenID is its discovery process. OpenID does not require hard coding each the providers you want to use ahead of time. Using discovery, the user can choose any third-party provider they want to authenticate. This discovery feature has also caused most of OpenID's problems because the way it is implemented is by using HTTP URIs as identifiers which most web users just don't get. Other features OpenID has is its support for ad-hoc client registration using a DH exchange, immediate mode for optimized end-user experience, and a way to verify assertions without making another round-trip to the provider.



                      OAuth - the most important feature of OAuth is the access token which provides a long lasting method of making additional requests. Unlike OpenID, OAuth does not end with authentication but provides an access token to gain access to additional resources provided by the same third-party service. However, since OAuth does not support discovery, it requires pre-selecting and hard-coding the providers you decide to use. A user visiting your site cannot use any identifier, only those pre-selected by you. Also, OAuth does not have a concept of identity so using it for login means either adding a custom parameter (as done by Twitter) or making another API call to get the currently "logged in" user.



                      3. Technical Implementations



                      The two protocols share a common architecture in using redirection to obtain user authorization. In OAuth the user authorizes access to their protected resources and in OpenID, to their identity. But that's all they share.



                      Each protocol has a different way of calculating a signature used to verify the authenticity of the request or response, and each has different registration requirements.






                      share|improve this answer






















                      • 6





                        Thank you, I was having a lot of trouble with the words 'Federated' and 'discovery' in this context and the answer perfectly clears it up.

                        – Aditya M P
                        Oct 22 '12 at 3:12






                      • 3





                        A good answer, but I'm slightly confused with "The exception of white-lists". Do you white list exclusions?

                        – Crypth
                        Jul 9 '13 at 11:53






                      • 3





                        OAuth does not end with authentication but provides an access token to gain access to additional resources provided by the same third-party service. Not exactly. From rfc6749: The authorization server may be the same server as the resource server or a separate entity. A single authorization server may issue access tokens accepted by multiple resource servers.

                        – Eugene Yarmash
                        Sep 2 '14 at 10:15
















                      345














                      There are three ways to compare OAuth and OpenID:



                      1. Purposes



                      OpenID was created for federated authentication, that is, letting a third-party authenticate your users for you, by using accounts they already have. The term federated is critical here because the whole point of OpenID is that any provider can be used (with the exception of white-lists). You don't need to pre-choose or negotiate a deal with the providers to allow users to use any other account they have.



                      OAuth was created to remove the need for users to share their passwords with third-party applications. It actually started as a way to solve an OpenID problem: if you support OpenID on your site, you can't use HTTP Basic credentials (username and password) to provide an API because the users don't have a password on your site.



                      The problem is with this separation of OpenID for authentication and OAuth for authorization is that both protocols can accomplish many of the same things. They each provide a different set of features which are desired by different implementations but essentially, they are pretty interchangeable. At their core, both protocols are an assertion verification method (OpenID is limited to the 'this is who I am' assertion, while OAuth provides an 'access token' that can be exchanged for any supported assertion via an API).



                      2. Features



                      Both protocols provide a way for a site to redirect a user somewhere else and come back with a verifiable assertion. OpenID provides an identity assertion while OAuth is more generic in the form of an access token which can then be used to "ask the OAuth provider questions". However, they each support different features:



                      OpenID - the most important feature of OpenID is its discovery process. OpenID does not require hard coding each the providers you want to use ahead of time. Using discovery, the user can choose any third-party provider they want to authenticate. This discovery feature has also caused most of OpenID's problems because the way it is implemented is by using HTTP URIs as identifiers which most web users just don't get. Other features OpenID has is its support for ad-hoc client registration using a DH exchange, immediate mode for optimized end-user experience, and a way to verify assertions without making another round-trip to the provider.



                      OAuth - the most important feature of OAuth is the access token which provides a long lasting method of making additional requests. Unlike OpenID, OAuth does not end with authentication but provides an access token to gain access to additional resources provided by the same third-party service. However, since OAuth does not support discovery, it requires pre-selecting and hard-coding the providers you decide to use. A user visiting your site cannot use any identifier, only those pre-selected by you. Also, OAuth does not have a concept of identity so using it for login means either adding a custom parameter (as done by Twitter) or making another API call to get the currently "logged in" user.



                      3. Technical Implementations



                      The two protocols share a common architecture in using redirection to obtain user authorization. In OAuth the user authorizes access to their protected resources and in OpenID, to their identity. But that's all they share.



                      Each protocol has a different way of calculating a signature used to verify the authenticity of the request or response, and each has different registration requirements.






                      share|improve this answer






















                      • 6





                        Thank you, I was having a lot of trouble with the words 'Federated' and 'discovery' in this context and the answer perfectly clears it up.

                        – Aditya M P
                        Oct 22 '12 at 3:12






                      • 3





                        A good answer, but I'm slightly confused with "The exception of white-lists". Do you white list exclusions?

                        – Crypth
                        Jul 9 '13 at 11:53






                      • 3





                        OAuth does not end with authentication but provides an access token to gain access to additional resources provided by the same third-party service. Not exactly. From rfc6749: The authorization server may be the same server as the resource server or a separate entity. A single authorization server may issue access tokens accepted by multiple resource servers.

                        – Eugene Yarmash
                        Sep 2 '14 at 10:15














                      345












                      345








                      345







                      There are three ways to compare OAuth and OpenID:



                      1. Purposes



                      OpenID was created for federated authentication, that is, letting a third-party authenticate your users for you, by using accounts they already have. The term federated is critical here because the whole point of OpenID is that any provider can be used (with the exception of white-lists). You don't need to pre-choose or negotiate a deal with the providers to allow users to use any other account they have.



                      OAuth was created to remove the need for users to share their passwords with third-party applications. It actually started as a way to solve an OpenID problem: if you support OpenID on your site, you can't use HTTP Basic credentials (username and password) to provide an API because the users don't have a password on your site.



                      The problem is with this separation of OpenID for authentication and OAuth for authorization is that both protocols can accomplish many of the same things. They each provide a different set of features which are desired by different implementations but essentially, they are pretty interchangeable. At their core, both protocols are an assertion verification method (OpenID is limited to the 'this is who I am' assertion, while OAuth provides an 'access token' that can be exchanged for any supported assertion via an API).



                      2. Features



                      Both protocols provide a way for a site to redirect a user somewhere else and come back with a verifiable assertion. OpenID provides an identity assertion while OAuth is more generic in the form of an access token which can then be used to "ask the OAuth provider questions". However, they each support different features:



                      OpenID - the most important feature of OpenID is its discovery process. OpenID does not require hard coding each the providers you want to use ahead of time. Using discovery, the user can choose any third-party provider they want to authenticate. This discovery feature has also caused most of OpenID's problems because the way it is implemented is by using HTTP URIs as identifiers which most web users just don't get. Other features OpenID has is its support for ad-hoc client registration using a DH exchange, immediate mode for optimized end-user experience, and a way to verify assertions without making another round-trip to the provider.



                      OAuth - the most important feature of OAuth is the access token which provides a long lasting method of making additional requests. Unlike OpenID, OAuth does not end with authentication but provides an access token to gain access to additional resources provided by the same third-party service. However, since OAuth does not support discovery, it requires pre-selecting and hard-coding the providers you decide to use. A user visiting your site cannot use any identifier, only those pre-selected by you. Also, OAuth does not have a concept of identity so using it for login means either adding a custom parameter (as done by Twitter) or making another API call to get the currently "logged in" user.



                      3. Technical Implementations



                      The two protocols share a common architecture in using redirection to obtain user authorization. In OAuth the user authorizes access to their protected resources and in OpenID, to their identity. But that's all they share.



                      Each protocol has a different way of calculating a signature used to verify the authenticity of the request or response, and each has different registration requirements.






                      share|improve this answer















                      There are three ways to compare OAuth and OpenID:



                      1. Purposes



                      OpenID was created for federated authentication, that is, letting a third-party authenticate your users for you, by using accounts they already have. The term federated is critical here because the whole point of OpenID is that any provider can be used (with the exception of white-lists). You don't need to pre-choose or negotiate a deal with the providers to allow users to use any other account they have.



                      OAuth was created to remove the need for users to share their passwords with third-party applications. It actually started as a way to solve an OpenID problem: if you support OpenID on your site, you can't use HTTP Basic credentials (username and password) to provide an API because the users don't have a password on your site.



                      The problem is with this separation of OpenID for authentication and OAuth for authorization is that both protocols can accomplish many of the same things. They each provide a different set of features which are desired by different implementations but essentially, they are pretty interchangeable. At their core, both protocols are an assertion verification method (OpenID is limited to the 'this is who I am' assertion, while OAuth provides an 'access token' that can be exchanged for any supported assertion via an API).



                      2. Features



                      Both protocols provide a way for a site to redirect a user somewhere else and come back with a verifiable assertion. OpenID provides an identity assertion while OAuth is more generic in the form of an access token which can then be used to "ask the OAuth provider questions". However, they each support different features:



                      OpenID - the most important feature of OpenID is its discovery process. OpenID does not require hard coding each the providers you want to use ahead of time. Using discovery, the user can choose any third-party provider they want to authenticate. This discovery feature has also caused most of OpenID's problems because the way it is implemented is by using HTTP URIs as identifiers which most web users just don't get. Other features OpenID has is its support for ad-hoc client registration using a DH exchange, immediate mode for optimized end-user experience, and a way to verify assertions without making another round-trip to the provider.



                      OAuth - the most important feature of OAuth is the access token which provides a long lasting method of making additional requests. Unlike OpenID, OAuth does not end with authentication but provides an access token to gain access to additional resources provided by the same third-party service. However, since OAuth does not support discovery, it requires pre-selecting and hard-coding the providers you decide to use. A user visiting your site cannot use any identifier, only those pre-selected by you. Also, OAuth does not have a concept of identity so using it for login means either adding a custom parameter (as done by Twitter) or making another API call to get the currently "logged in" user.



                      3. Technical Implementations



                      The two protocols share a common architecture in using redirection to obtain user authorization. In OAuth the user authorizes access to their protected resources and in OpenID, to their identity. But that's all they share.



                      Each protocol has a different way of calculating a signature used to verify the authenticity of the request or response, and each has different registration requirements.







                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited Jul 26 '16 at 4:27


























                      community wiki





                      7 revs, 7 users 67%
                      Eran Hammer











                      • 6





                        Thank you, I was having a lot of trouble with the words 'Federated' and 'discovery' in this context and the answer perfectly clears it up.

                        – Aditya M P
                        Oct 22 '12 at 3:12






                      • 3





                        A good answer, but I'm slightly confused with "The exception of white-lists". Do you white list exclusions?

                        – Crypth
                        Jul 9 '13 at 11:53






                      • 3





                        OAuth does not end with authentication but provides an access token to gain access to additional resources provided by the same third-party service. Not exactly. From rfc6749: The authorization server may be the same server as the resource server or a separate entity. A single authorization server may issue access tokens accepted by multiple resource servers.

                        – Eugene Yarmash
                        Sep 2 '14 at 10:15













                      • 6





                        Thank you, I was having a lot of trouble with the words 'Federated' and 'discovery' in this context and the answer perfectly clears it up.

                        – Aditya M P
                        Oct 22 '12 at 3:12






                      • 3





                        A good answer, but I'm slightly confused with "The exception of white-lists". Do you white list exclusions?

                        – Crypth
                        Jul 9 '13 at 11:53






                      • 3





                        OAuth does not end with authentication but provides an access token to gain access to additional resources provided by the same third-party service. Not exactly. From rfc6749: The authorization server may be the same server as the resource server or a separate entity. A single authorization server may issue access tokens accepted by multiple resource servers.

                        – Eugene Yarmash
                        Sep 2 '14 at 10:15








                      6




                      6





                      Thank you, I was having a lot of trouble with the words 'Federated' and 'discovery' in this context and the answer perfectly clears it up.

                      – Aditya M P
                      Oct 22 '12 at 3:12





                      Thank you, I was having a lot of trouble with the words 'Federated' and 'discovery' in this context and the answer perfectly clears it up.

                      – Aditya M P
                      Oct 22 '12 at 3:12




                      3




                      3





                      A good answer, but I'm slightly confused with "The exception of white-lists". Do you white list exclusions?

                      – Crypth
                      Jul 9 '13 at 11:53





                      A good answer, but I'm slightly confused with "The exception of white-lists". Do you white list exclusions?

                      – Crypth
                      Jul 9 '13 at 11:53




                      3




                      3





                      OAuth does not end with authentication but provides an access token to gain access to additional resources provided by the same third-party service. Not exactly. From rfc6749: The authorization server may be the same server as the resource server or a separate entity. A single authorization server may issue access tokens accepted by multiple resource servers.

                      – Eugene Yarmash
                      Sep 2 '14 at 10:15






                      OAuth does not end with authentication but provides an access token to gain access to additional resources provided by the same third-party service. Not exactly. From rfc6749: The authorization server may be the same server as the resource server or a separate entity. A single authorization server may issue access tokens accepted by multiple resource servers.

                      – Eugene Yarmash
                      Sep 2 '14 at 10:15












                      104














                      OpenID is (mainly) for identification/authentication, so that stackoverflow.com knows that I own chris.boyle.name (or wherever) and therefore that I am probably the same person who owned chris.boyle.name yesterday and earned some reputation points.



                      OAuth is designed for authorization to take actions on your behalf, so that stackoverflow.com (or wherever) can ask permission to, say, Tweet on your behalf automatically, without knowing your Twitter password.






                      share|improve this answer






















                      • 22





                        But if you have authorized twitter to take actions on your behalf, that implies you are the person who you say you are - so it combines both?

                        – David d C e Freitas
                        Jan 12 '12 at 11:42






                      • 3





                        David, you are correct. Google does it this way.

                        – Timmmm
                        Jul 23 '12 at 23:18







                      • 2





                        It sounds like with oauth, the 3rd party site would get a token which it could use to perform actions on the oauth provider's site (say, tweet on your behalf), but getting the user's identity (username) isn't built in to the protocol so providers have to add that as a custom resource.

                        – onlynone
                        Sep 5 '14 at 18:15











                      • Is'nt that the case that Stack Overflow or other websites that belong to stackoverflow like serverfault use OAuth for new user signup using google or facebook and OpenID for signup using other website of their domain like serverfault or askubuntu. In OAuth we can restrict what information is flowing from identity provider (facebook) to service provider(stackoverflow). In OpenID we simply give a certificate symbolizing the person as legal and give access to whole database. Since stackoverflow or askubuntu belong to same domain they can exchange certificates with full access to user databases.

                        – Revanth Kumar
                        May 5 '15 at 23:09






                      • 1





                        @jlo-gmail OAuth 2.0 includes Refresh Tokens for this purpose: you occasionally use the Refresh Token to get a new Access Token. More info: tools.ietf.org/html/rfc6749#section-1.5

                        – Chris Boyle
                        Jan 12 '17 at 10:49















                      104














                      OpenID is (mainly) for identification/authentication, so that stackoverflow.com knows that I own chris.boyle.name (or wherever) and therefore that I am probably the same person who owned chris.boyle.name yesterday and earned some reputation points.



                      OAuth is designed for authorization to take actions on your behalf, so that stackoverflow.com (or wherever) can ask permission to, say, Tweet on your behalf automatically, without knowing your Twitter password.






                      share|improve this answer






















                      • 22





                        But if you have authorized twitter to take actions on your behalf, that implies you are the person who you say you are - so it combines both?

                        – David d C e Freitas
                        Jan 12 '12 at 11:42






                      • 3





                        David, you are correct. Google does it this way.

                        – Timmmm
                        Jul 23 '12 at 23:18







                      • 2





                        It sounds like with oauth, the 3rd party site would get a token which it could use to perform actions on the oauth provider's site (say, tweet on your behalf), but getting the user's identity (username) isn't built in to the protocol so providers have to add that as a custom resource.

                        – onlynone
                        Sep 5 '14 at 18:15











                      • Is'nt that the case that Stack Overflow or other websites that belong to stackoverflow like serverfault use OAuth for new user signup using google or facebook and OpenID for signup using other website of their domain like serverfault or askubuntu. In OAuth we can restrict what information is flowing from identity provider (facebook) to service provider(stackoverflow). In OpenID we simply give a certificate symbolizing the person as legal and give access to whole database. Since stackoverflow or askubuntu belong to same domain they can exchange certificates with full access to user databases.

                        – Revanth Kumar
                        May 5 '15 at 23:09






                      • 1





                        @jlo-gmail OAuth 2.0 includes Refresh Tokens for this purpose: you occasionally use the Refresh Token to get a new Access Token. More info: tools.ietf.org/html/rfc6749#section-1.5

                        – Chris Boyle
                        Jan 12 '17 at 10:49













                      104












                      104








                      104







                      OpenID is (mainly) for identification/authentication, so that stackoverflow.com knows that I own chris.boyle.name (or wherever) and therefore that I am probably the same person who owned chris.boyle.name yesterday and earned some reputation points.



                      OAuth is designed for authorization to take actions on your behalf, so that stackoverflow.com (or wherever) can ask permission to, say, Tweet on your behalf automatically, without knowing your Twitter password.






                      share|improve this answer















                      OpenID is (mainly) for identification/authentication, so that stackoverflow.com knows that I own chris.boyle.name (or wherever) and therefore that I am probably the same person who owned chris.boyle.name yesterday and earned some reputation points.



                      OAuth is designed for authorization to take actions on your behalf, so that stackoverflow.com (or wherever) can ask permission to, say, Tweet on your behalf automatically, without knowing your Twitter password.







                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited Aug 4 '15 at 18:42









                      huysentruitw

                      20.7k6 gold badges59 silver badges107 bronze badges




                      20.7k6 gold badges59 silver badges107 bronze badges










                      answered Jul 6 '09 at 13:45









                      Chris BoyleChris Boyle

                      9,2087 gold badges43 silver badges60 bronze badges




                      9,2087 gold badges43 silver badges60 bronze badges










                      • 22





                        But if you have authorized twitter to take actions on your behalf, that implies you are the person who you say you are - so it combines both?

                        – David d C e Freitas
                        Jan 12 '12 at 11:42






                      • 3





                        David, you are correct. Google does it this way.

                        – Timmmm
                        Jul 23 '12 at 23:18







                      • 2





                        It sounds like with oauth, the 3rd party site would get a token which it could use to perform actions on the oauth provider's site (say, tweet on your behalf), but getting the user's identity (username) isn't built in to the protocol so providers have to add that as a custom resource.

                        – onlynone
                        Sep 5 '14 at 18:15











                      • Is'nt that the case that Stack Overflow or other websites that belong to stackoverflow like serverfault use OAuth for new user signup using google or facebook and OpenID for signup using other website of their domain like serverfault or askubuntu. In OAuth we can restrict what information is flowing from identity provider (facebook) to service provider(stackoverflow). In OpenID we simply give a certificate symbolizing the person as legal and give access to whole database. Since stackoverflow or askubuntu belong to same domain they can exchange certificates with full access to user databases.

                        – Revanth Kumar
                        May 5 '15 at 23:09






                      • 1





                        @jlo-gmail OAuth 2.0 includes Refresh Tokens for this purpose: you occasionally use the Refresh Token to get a new Access Token. More info: tools.ietf.org/html/rfc6749#section-1.5

                        – Chris Boyle
                        Jan 12 '17 at 10:49












                      • 22





                        But if you have authorized twitter to take actions on your behalf, that implies you are the person who you say you are - so it combines both?

                        – David d C e Freitas
                        Jan 12 '12 at 11:42






                      • 3





                        David, you are correct. Google does it this way.

                        – Timmmm
                        Jul 23 '12 at 23:18







                      • 2





                        It sounds like with oauth, the 3rd party site would get a token which it could use to perform actions on the oauth provider's site (say, tweet on your behalf), but getting the user's identity (username) isn't built in to the protocol so providers have to add that as a custom resource.

                        – onlynone
                        Sep 5 '14 at 18:15











                      • Is'nt that the case that Stack Overflow or other websites that belong to stackoverflow like serverfault use OAuth for new user signup using google or facebook and OpenID for signup using other website of their domain like serverfault or askubuntu. In OAuth we can restrict what information is flowing from identity provider (facebook) to service provider(stackoverflow). In OpenID we simply give a certificate symbolizing the person as legal and give access to whole database. Since stackoverflow or askubuntu belong to same domain they can exchange certificates with full access to user databases.

                        – Revanth Kumar
                        May 5 '15 at 23:09






                      • 1





                        @jlo-gmail OAuth 2.0 includes Refresh Tokens for this purpose: you occasionally use the Refresh Token to get a new Access Token. More info: tools.ietf.org/html/rfc6749#section-1.5

                        – Chris Boyle
                        Jan 12 '17 at 10:49







                      22




                      22





                      But if you have authorized twitter to take actions on your behalf, that implies you are the person who you say you are - so it combines both?

                      – David d C e Freitas
                      Jan 12 '12 at 11:42





                      But if you have authorized twitter to take actions on your behalf, that implies you are the person who you say you are - so it combines both?

                      – David d C e Freitas
                      Jan 12 '12 at 11:42




                      3




                      3





                      David, you are correct. Google does it this way.

                      – Timmmm
                      Jul 23 '12 at 23:18






                      David, you are correct. Google does it this way.

                      – Timmmm
                      Jul 23 '12 at 23:18





                      2




                      2





                      It sounds like with oauth, the 3rd party site would get a token which it could use to perform actions on the oauth provider's site (say, tweet on your behalf), but getting the user's identity (username) isn't built in to the protocol so providers have to add that as a custom resource.

                      – onlynone
                      Sep 5 '14 at 18:15





                      It sounds like with oauth, the 3rd party site would get a token which it could use to perform actions on the oauth provider's site (say, tweet on your behalf), but getting the user's identity (username) isn't built in to the protocol so providers have to add that as a custom resource.

                      – onlynone
                      Sep 5 '14 at 18:15













                      Is'nt that the case that Stack Overflow or other websites that belong to stackoverflow like serverfault use OAuth for new user signup using google or facebook and OpenID for signup using other website of their domain like serverfault or askubuntu. In OAuth we can restrict what information is flowing from identity provider (facebook) to service provider(stackoverflow). In OpenID we simply give a certificate symbolizing the person as legal and give access to whole database. Since stackoverflow or askubuntu belong to same domain they can exchange certificates with full access to user databases.

                      – Revanth Kumar
                      May 5 '15 at 23:09





                      Is'nt that the case that Stack Overflow or other websites that belong to stackoverflow like serverfault use OAuth for new user signup using google or facebook and OpenID for signup using other website of their domain like serverfault or askubuntu. In OAuth we can restrict what information is flowing from identity provider (facebook) to service provider(stackoverflow). In OpenID we simply give a certificate symbolizing the person as legal and give access to whole database. Since stackoverflow or askubuntu belong to same domain they can exchange certificates with full access to user databases.

                      – Revanth Kumar
                      May 5 '15 at 23:09




                      1




                      1





                      @jlo-gmail OAuth 2.0 includes Refresh Tokens for this purpose: you occasionally use the Refresh Token to get a new Access Token. More info: tools.ietf.org/html/rfc6749#section-1.5

                      – Chris Boyle
                      Jan 12 '17 at 10:49





                      @jlo-gmail OAuth 2.0 includes Refresh Tokens for this purpose: you occasionally use the Refresh Token to get a new Access Token. More info: tools.ietf.org/html/rfc6749#section-1.5

                      – Chris Boyle
                      Jan 12 '17 at 10:49











                      84














                      Many people still visit this so here's a very simple diagram to explain it



                      OpenID_vs._pseudo-authentication_using_OAuth



                      Courtesy Wikipedia






                      share|improve this answer






















                      • 12





                        Shouldn't there be one more step in the OAuth example where the android app uses the valet key to communicate with google to find the users identity?

                        – onlynone
                        Sep 5 '14 at 18:18











                      • I think the missing step should be more generic. I.e. it's not so much about identity as it is about data that can be provided via API. I.e. your Google photos or your G-Mail emails that android app could use for whatever purposes. Of course, identity could be accessible via API.

                        – satellite779
                        Sep 22 '14 at 23:13






                      • 2





                        For OAuth, should it be "Give me the valet key to your house so I can access / modify (as permitted) your house"?

                        – hendryanw
                        Apr 20 '16 at 7:35















                      84














                      Many people still visit this so here's a very simple diagram to explain it



                      OpenID_vs._pseudo-authentication_using_OAuth



                      Courtesy Wikipedia






                      share|improve this answer






















                      • 12





                        Shouldn't there be one more step in the OAuth example where the android app uses the valet key to communicate with google to find the users identity?

                        – onlynone
                        Sep 5 '14 at 18:18











                      • I think the missing step should be more generic. I.e. it's not so much about identity as it is about data that can be provided via API. I.e. your Google photos or your G-Mail emails that android app could use for whatever purposes. Of course, identity could be accessible via API.

                        – satellite779
                        Sep 22 '14 at 23:13






                      • 2





                        For OAuth, should it be "Give me the valet key to your house so I can access / modify (as permitted) your house"?

                        – hendryanw
                        Apr 20 '16 at 7:35













                      84












                      84








                      84







                      Many people still visit this so here's a very simple diagram to explain it



                      OpenID_vs._pseudo-authentication_using_OAuth



                      Courtesy Wikipedia






                      share|improve this answer















                      Many people still visit this so here's a very simple diagram to explain it



                      OpenID_vs._pseudo-authentication_using_OAuth



                      Courtesy Wikipedia







                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited Apr 26 '15 at 23:11









                      KyleMit

                      61.2k39 gold badges268 silver badges429 bronze badges




                      61.2k39 gold badges268 silver badges429 bronze badges










                      answered May 19 '14 at 8:37









                      Vrashabh IrdeVrashabh Irde

                      12.4k3 gold badges44 silver badges89 bronze badges




                      12.4k3 gold badges44 silver badges89 bronze badges










                      • 12





                        Shouldn't there be one more step in the OAuth example where the android app uses the valet key to communicate with google to find the users identity?

                        – onlynone
                        Sep 5 '14 at 18:18











                      • I think the missing step should be more generic. I.e. it's not so much about identity as it is about data that can be provided via API. I.e. your Google photos or your G-Mail emails that android app could use for whatever purposes. Of course, identity could be accessible via API.

                        – satellite779
                        Sep 22 '14 at 23:13






                      • 2





                        For OAuth, should it be "Give me the valet key to your house so I can access / modify (as permitted) your house"?

                        – hendryanw
                        Apr 20 '16 at 7:35












                      • 12





                        Shouldn't there be one more step in the OAuth example where the android app uses the valet key to communicate with google to find the users identity?

                        – onlynone
                        Sep 5 '14 at 18:18











                      • I think the missing step should be more generic. I.e. it's not so much about identity as it is about data that can be provided via API. I.e. your Google photos or your G-Mail emails that android app could use for whatever purposes. Of course, identity could be accessible via API.

                        – satellite779
                        Sep 22 '14 at 23:13






                      • 2





                        For OAuth, should it be "Give me the valet key to your house so I can access / modify (as permitted) your house"?

                        – hendryanw
                        Apr 20 '16 at 7:35







                      12




                      12





                      Shouldn't there be one more step in the OAuth example where the android app uses the valet key to communicate with google to find the users identity?

                      – onlynone
                      Sep 5 '14 at 18:18





                      Shouldn't there be one more step in the OAuth example where the android app uses the valet key to communicate with google to find the users identity?

                      – onlynone
                      Sep 5 '14 at 18:18













                      I think the missing step should be more generic. I.e. it's not so much about identity as it is about data that can be provided via API. I.e. your Google photos or your G-Mail emails that android app could use for whatever purposes. Of course, identity could be accessible via API.

                      – satellite779
                      Sep 22 '14 at 23:13





                      I think the missing step should be more generic. I.e. it's not so much about identity as it is about data that can be provided via API. I.e. your Google photos or your G-Mail emails that android app could use for whatever purposes. Of course, identity could be accessible via API.

                      – satellite779
                      Sep 22 '14 at 23:13




                      2




                      2





                      For OAuth, should it be "Give me the valet key to your house so I can access / modify (as permitted) your house"?

                      – hendryanw
                      Apr 20 '16 at 7:35





                      For OAuth, should it be "Give me the valet key to your house so I can access / modify (as permitted) your house"?

                      – hendryanw
                      Apr 20 '16 at 7:35











                      40














                      OAuth



                      Used for delegated authorization only -- meaning you are authorizing a third-party service access to use personal data, without giving out a password. Also OAuth "sessions" generally live longer than user sessions. Meaning that OAuth is designed to allow authorization



                      i.e. Flickr uses OAuth to allow third-party services to post and edit a persons picture on their behalf, without them having to give out their flicker username and password.



                      OpenID



                      Used to authenticate single sign-on identity. All OpenID is supposed to do is allow an OpenID provider to prove that you say you are. However many sites use identity authentication to provide authorization (however the two can be separated out)



                      i.e. One shows their passport at the airport to authenticate (or prove) the person's who's name is on the ticket they are using is them.






                      share|improve this answer




















                      • 7





                        You could surely use OAuth for authenticating single sign-on as well?

                        – Timmmm
                        Jul 23 '12 at 23:10















                      40














                      OAuth



                      Used for delegated authorization only -- meaning you are authorizing a third-party service access to use personal data, without giving out a password. Also OAuth "sessions" generally live longer than user sessions. Meaning that OAuth is designed to allow authorization



                      i.e. Flickr uses OAuth to allow third-party services to post and edit a persons picture on their behalf, without them having to give out their flicker username and password.



                      OpenID



                      Used to authenticate single sign-on identity. All OpenID is supposed to do is allow an OpenID provider to prove that you say you are. However many sites use identity authentication to provide authorization (however the two can be separated out)



                      i.e. One shows their passport at the airport to authenticate (or prove) the person's who's name is on the ticket they are using is them.






                      share|improve this answer




















                      • 7





                        You could surely use OAuth for authenticating single sign-on as well?

                        – Timmmm
                        Jul 23 '12 at 23:10













                      40












                      40








                      40







                      OAuth



                      Used for delegated authorization only -- meaning you are authorizing a third-party service access to use personal data, without giving out a password. Also OAuth "sessions" generally live longer than user sessions. Meaning that OAuth is designed to allow authorization



                      i.e. Flickr uses OAuth to allow third-party services to post and edit a persons picture on their behalf, without them having to give out their flicker username and password.



                      OpenID



                      Used to authenticate single sign-on identity. All OpenID is supposed to do is allow an OpenID provider to prove that you say you are. However many sites use identity authentication to provide authorization (however the two can be separated out)



                      i.e. One shows their passport at the airport to authenticate (or prove) the person's who's name is on the ticket they are using is them.






                      share|improve this answer













                      OAuth



                      Used for delegated authorization only -- meaning you are authorizing a third-party service access to use personal data, without giving out a password. Also OAuth "sessions" generally live longer than user sessions. Meaning that OAuth is designed to allow authorization



                      i.e. Flickr uses OAuth to allow third-party services to post and edit a persons picture on their behalf, without them having to give out their flicker username and password.



                      OpenID



                      Used to authenticate single sign-on identity. All OpenID is supposed to do is allow an OpenID provider to prove that you say you are. However many sites use identity authentication to provide authorization (however the two can be separated out)



                      i.e. One shows their passport at the airport to authenticate (or prove) the person's who's name is on the ticket they are using is them.







                      share|improve this answer












                      share|improve this answer



                      share|improve this answer










                      answered Jul 6 '09 at 20:15









                      nullnull

                      5,4234 gold badges21 silver badges27 bronze badges




                      5,4234 gold badges21 silver badges27 bronze badges










                      • 7





                        You could surely use OAuth for authenticating single sign-on as well?

                        – Timmmm
                        Jul 23 '12 at 23:10












                      • 7





                        You could surely use OAuth for authenticating single sign-on as well?

                        – Timmmm
                        Jul 23 '12 at 23:10







                      7




                      7





                      You could surely use OAuth for authenticating single sign-on as well?

                      – Timmmm
                      Jul 23 '12 at 23:10





                      You could surely use OAuth for authenticating single sign-on as well?

                      – Timmmm
                      Jul 23 '12 at 23:10











                      31














                      Use OAuth if your users might just want to login with Facebook, or Twitter. Use OpenID if your users are neckbeards that run their own OpenID providers because they "don't want anyone else owning their identity".






                      share|improve this answer

























                      • I really like this explanation. Though I'm more than happy to let Google handle my credentials with their OTP implementation that sits on top of the login.

                        – Natalie Adams
                        Apr 28 '13 at 21:24















                      31














                      Use OAuth if your users might just want to login with Facebook, or Twitter. Use OpenID if your users are neckbeards that run their own OpenID providers because they "don't want anyone else owning their identity".






                      share|improve this answer

























                      • I really like this explanation. Though I'm more than happy to let Google handle my credentials with their OTP implementation that sits on top of the login.

                        – Natalie Adams
                        Apr 28 '13 at 21:24













                      31












                      31








                      31







                      Use OAuth if your users might just want to login with Facebook, or Twitter. Use OpenID if your users are neckbeards that run their own OpenID providers because they "don't want anyone else owning their identity".






                      share|improve this answer













                      Use OAuth if your users might just want to login with Facebook, or Twitter. Use OpenID if your users are neckbeards that run their own OpenID providers because they "don't want anyone else owning their identity".







                      share|improve this answer












                      share|improve this answer



                      share|improve this answer










                      answered Mar 20 '12 at 19:37









                      Jesse HattabaughJesse Hattabaugh

                      3,9095 gold badges28 silver badges33 bronze badges




                      3,9095 gold badges28 silver badges33 bronze badges















                      • I really like this explanation. Though I'm more than happy to let Google handle my credentials with their OTP implementation that sits on top of the login.

                        – Natalie Adams
                        Apr 28 '13 at 21:24

















                      • I really like this explanation. Though I'm more than happy to let Google handle my credentials with their OTP implementation that sits on top of the login.

                        – Natalie Adams
                        Apr 28 '13 at 21:24
















                      I really like this explanation. Though I'm more than happy to let Google handle my credentials with their OTP implementation that sits on top of the login.

                      – Natalie Adams
                      Apr 28 '13 at 21:24





                      I really like this explanation. Though I'm more than happy to let Google handle my credentials with their OTP implementation that sits on top of the login.

                      – Natalie Adams
                      Apr 28 '13 at 21:24











                      18














                      OpenID and OAuth are each HTTP-based protocols for authentication and/or authorization. Both are intended to allow users to perform actions without giving authentication credentials or blanket permissions to clients or third parties. While they are similar, and there are proposed standards to use them both together, they are separate protocols.



                      OpenID is intended for federated authentication. A client accepts an identity assertion from any provider (although clients are free to whitelist or blacklist providers).



                      OAuth is intended for delegated authorization. A client registers with a provider, which provides authorization tokens which it will accept to perform actions on the user's behalf.



                      OAuth is currently better suited for authorization, because further interactions after authentication are built into the protocol, but both protocols are evolving. OpenID and its extensions could be used for authorization, and OAuth can be used for authentication, which can be thought of as a no-op authorization.






                      share|improve this answer































                        18














                        OpenID and OAuth are each HTTP-based protocols for authentication and/or authorization. Both are intended to allow users to perform actions without giving authentication credentials or blanket permissions to clients or third parties. While they are similar, and there are proposed standards to use them both together, they are separate protocols.



                        OpenID is intended for federated authentication. A client accepts an identity assertion from any provider (although clients are free to whitelist or blacklist providers).



                        OAuth is intended for delegated authorization. A client registers with a provider, which provides authorization tokens which it will accept to perform actions on the user's behalf.



                        OAuth is currently better suited for authorization, because further interactions after authentication are built into the protocol, but both protocols are evolving. OpenID and its extensions could be used for authorization, and OAuth can be used for authentication, which can be thought of as a no-op authorization.






                        share|improve this answer





























                          18












                          18








                          18







                          OpenID and OAuth are each HTTP-based protocols for authentication and/or authorization. Both are intended to allow users to perform actions without giving authentication credentials or blanket permissions to clients or third parties. While they are similar, and there are proposed standards to use them both together, they are separate protocols.



                          OpenID is intended for federated authentication. A client accepts an identity assertion from any provider (although clients are free to whitelist or blacklist providers).



                          OAuth is intended for delegated authorization. A client registers with a provider, which provides authorization tokens which it will accept to perform actions on the user's behalf.



                          OAuth is currently better suited for authorization, because further interactions after authentication are built into the protocol, but both protocols are evolving. OpenID and its extensions could be used for authorization, and OAuth can be used for authentication, which can be thought of as a no-op authorization.






                          share|improve this answer















                          OpenID and OAuth are each HTTP-based protocols for authentication and/or authorization. Both are intended to allow users to perform actions without giving authentication credentials or blanket permissions to clients or third parties. While they are similar, and there are proposed standards to use them both together, they are separate protocols.



                          OpenID is intended for federated authentication. A client accepts an identity assertion from any provider (although clients are free to whitelist or blacklist providers).



                          OAuth is intended for delegated authorization. A client registers with a provider, which provides authorization tokens which it will accept to perform actions on the user's behalf.



                          OAuth is currently better suited for authorization, because further interactions after authentication are built into the protocol, but both protocols are evolving. OpenID and its extensions could be used for authorization, and OAuth can be used for authentication, which can be thought of as a no-op authorization.







                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited Aug 28 '09 at 20:52

























                          answered Aug 27 '09 at 23:27









                          Karl AndersonKarl Anderson

                          1,62811 silver badges16 bronze badges




                          1,62811 silver badges16 bronze badges
























                              14














                              I believe it makes sense revisit this question as also pointed out in the comments, the introduction of OpenID Connect may have brought more confusion.



                              OpenID Connect is an authentication protocol like OpenID 1.0/2.0 but it is actually built on top of OAuth 2.0, so you'll get authorization features along with authentication features. The difference between the two is pretty well explained in detail in this (relatively recent, but important) article: http://oauth.net/articles/authentication/






                              share|improve this answer





























                                14














                                I believe it makes sense revisit this question as also pointed out in the comments, the introduction of OpenID Connect may have brought more confusion.



                                OpenID Connect is an authentication protocol like OpenID 1.0/2.0 but it is actually built on top of OAuth 2.0, so you'll get authorization features along with authentication features. The difference between the two is pretty well explained in detail in this (relatively recent, but important) article: http://oauth.net/articles/authentication/






                                share|improve this answer



























                                  14












                                  14








                                  14







                                  I believe it makes sense revisit this question as also pointed out in the comments, the introduction of OpenID Connect may have brought more confusion.



                                  OpenID Connect is an authentication protocol like OpenID 1.0/2.0 but it is actually built on top of OAuth 2.0, so you'll get authorization features along with authentication features. The difference between the two is pretty well explained in detail in this (relatively recent, but important) article: http://oauth.net/articles/authentication/






                                  share|improve this answer













                                  I believe it makes sense revisit this question as also pointed out in the comments, the introduction of OpenID Connect may have brought more confusion.



                                  OpenID Connect is an authentication protocol like OpenID 1.0/2.0 but it is actually built on top of OAuth 2.0, so you'll get authorization features along with authentication features. The difference between the two is pretty well explained in detail in this (relatively recent, but important) article: http://oauth.net/articles/authentication/







                                  share|improve this answer












                                  share|improve this answer



                                  share|improve this answer










                                  answered Jan 12 '15 at 11:18









                                  Hans Z.Hans Z.

                                  31.2k7 gold badges60 silver badges87 bronze badges




                                  31.2k7 gold badges60 silver badges87 bronze badges
























                                      13














                                      The explanation of the difference between OpenID, OAuth, OpenID Connect:




                                      OpenID is a protocol for authentication while OAuth is for
                                      authorization. Authentication is about making sure that the guy you
                                      are talking to is indeed who he claims to be. Authorization is about
                                      deciding what that guy should be allowed to do.



                                      In OpenID, authentication is delegated: server A wants to authenticate
                                      user U, but U's credentials (e.g. U's name and password) are sent to
                                      another server, B, that A trusts (at least, trusts for authenticating
                                      users). Indeed, server B makes sure that U is indeed U, and then tells
                                      to A: "ok, that's the genuine U".



                                      In OAuth, authorization is delegated: entity A obtains from entity B
                                      an "access right" which A can show to server S to be granted access; B
                                      can thus deliver temporary, specific access keys to A without giving
                                      them too much power. You can imagine an OAuth server as the key master
                                      in a big hotel; he gives to employees keys which open the doors of the
                                      rooms that they are supposed to enter, but each key is limited (it
                                      does not give access to all rooms); furthermore, the keys
                                      self-destruct after a few hours.



                                      To some extent, authorization can be abused into some
                                      pseudo-authentication, on the basis that if entity A obtains from B an
                                      access key through OAuth, and shows it to server S, then server S may
                                      infer that B authenticated A before granting the access key. So some
                                      people use OAuth where they should be using OpenID. This schema may or
                                      may not be enlightening; but I think this pseudo-authentication is
                                      more confusing than anything. OpenID Connect does just that: it abuses
                                      OAuth into an authentication protocol. In the hotel analogy: if I
                                      encounter a purported employee and that person shows me that he has a
                                      key which opens my room, then I suppose that this is a true employee,
                                      on the basis that the key master would not have given him a key which
                                      opens my room if he was not.




                                      (source)




                                      How is OpenID Connect different than OpenID 2.0?



                                      OpenID Connect performs many of the same tasks as OpenID 2.0, but does
                                      so in a way that is API-friendly, and usable by native and mobile
                                      applications. OpenID Connect defines optional mechanisms for robust
                                      signing and encryption. Whereas integration of OAuth 1.0a and OpenID
                                      2.0 required an extension, in OpenID Connect, OAuth 2.0 capabilities are integrated with the protocol itself.




                                      (source)




                                      OpenID connect will give you an access token plus an id token. The id
                                      token is a JWT and contains information about the authenticated user.
                                      It is signed by the identity provider and can be read and verified
                                      without accessing the identity provider.



                                      In addition, OpenID connect standardizes quite a couple things that
                                      oauth2 leaves up to choice. for instance scopes, endpoint discovery,
                                      and dynamic registration of clients.



                                      This makes it easier to write code that lets the user choose between
                                      multiple identity providers.




                                      (source)



                                      Google's OAuth 2.0




                                      Google's OAuth 2.0 APIs can be used for both authentication and
                                      authorization. This document describes our OAuth 2.0 implementation
                                      for authentication, which conforms to the OpenID Connect
                                      specification, and is OpenID Certified. The documentation found in
                                      Using OAuth 2.0 to Access Google APIs also applies to this service. If
                                      you want to explore this protocol interactively, we recommend the
                                      Google OAuth 2.0 Playground.




                                      (source)






                                      share|improve this answer






















                                      • 2





                                        Nice Explanation. +1 for that.

                                        – Ataur Rahman Munna
                                        Aug 27 '17 at 6:57
















                                      13














                                      The explanation of the difference between OpenID, OAuth, OpenID Connect:




                                      OpenID is a protocol for authentication while OAuth is for
                                      authorization. Authentication is about making sure that the guy you
                                      are talking to is indeed who he claims to be. Authorization is about
                                      deciding what that guy should be allowed to do.



                                      In OpenID, authentication is delegated: server A wants to authenticate
                                      user U, but U's credentials (e.g. U's name and password) are sent to
                                      another server, B, that A trusts (at least, trusts for authenticating
                                      users). Indeed, server B makes sure that U is indeed U, and then tells
                                      to A: "ok, that's the genuine U".



                                      In OAuth, authorization is delegated: entity A obtains from entity B
                                      an "access right" which A can show to server S to be granted access; B
                                      can thus deliver temporary, specific access keys to A without giving
                                      them too much power. You can imagine an OAuth server as the key master
                                      in a big hotel; he gives to employees keys which open the doors of the
                                      rooms that they are supposed to enter, but each key is limited (it
                                      does not give access to all rooms); furthermore, the keys
                                      self-destruct after a few hours.



                                      To some extent, authorization can be abused into some
                                      pseudo-authentication, on the basis that if entity A obtains from B an
                                      access key through OAuth, and shows it to server S, then server S may
                                      infer that B authenticated A before granting the access key. So some
                                      people use OAuth where they should be using OpenID. This schema may or
                                      may not be enlightening; but I think this pseudo-authentication is
                                      more confusing than anything. OpenID Connect does just that: it abuses
                                      OAuth into an authentication protocol. In the hotel analogy: if I
                                      encounter a purported employee and that person shows me that he has a
                                      key which opens my room, then I suppose that this is a true employee,
                                      on the basis that the key master would not have given him a key which
                                      opens my room if he was not.




                                      (source)




                                      How is OpenID Connect different than OpenID 2.0?



                                      OpenID Connect performs many of the same tasks as OpenID 2.0, but does
                                      so in a way that is API-friendly, and usable by native and mobile
                                      applications. OpenID Connect defines optional mechanisms for robust
                                      signing and encryption. Whereas integration of OAuth 1.0a and OpenID
                                      2.0 required an extension, in OpenID Connect, OAuth 2.0 capabilities are integrated with the protocol itself.




                                      (source)




                                      OpenID connect will give you an access token plus an id token. The id
                                      token is a JWT and contains information about the authenticated user.
                                      It is signed by the identity provider and can be read and verified
                                      without accessing the identity provider.



                                      In addition, OpenID connect standardizes quite a couple things that
                                      oauth2 leaves up to choice. for instance scopes, endpoint discovery,
                                      and dynamic registration of clients.



                                      This makes it easier to write code that lets the user choose between
                                      multiple identity providers.




                                      (source)



                                      Google's OAuth 2.0




                                      Google's OAuth 2.0 APIs can be used for both authentication and
                                      authorization. This document describes our OAuth 2.0 implementation
                                      for authentication, which conforms to the OpenID Connect
                                      specification, and is OpenID Certified. The documentation found in
                                      Using OAuth 2.0 to Access Google APIs also applies to this service. If
                                      you want to explore this protocol interactively, we recommend the
                                      Google OAuth 2.0 Playground.




                                      (source)






                                      share|improve this answer






















                                      • 2





                                        Nice Explanation. +1 for that.

                                        – Ataur Rahman Munna
                                        Aug 27 '17 at 6:57














                                      13












                                      13








                                      13







                                      The explanation of the difference between OpenID, OAuth, OpenID Connect:




                                      OpenID is a protocol for authentication while OAuth is for
                                      authorization. Authentication is about making sure that the guy you
                                      are talking to is indeed who he claims to be. Authorization is about
                                      deciding what that guy should be allowed to do.



                                      In OpenID, authentication is delegated: server A wants to authenticate
                                      user U, but U's credentials (e.g. U's name and password) are sent to
                                      another server, B, that A trusts (at least, trusts for authenticating
                                      users). Indeed, server B makes sure that U is indeed U, and then tells
                                      to A: "ok, that's the genuine U".



                                      In OAuth, authorization is delegated: entity A obtains from entity B
                                      an "access right" which A can show to server S to be granted access; B
                                      can thus deliver temporary, specific access keys to A without giving
                                      them too much power. You can imagine an OAuth server as the key master
                                      in a big hotel; he gives to employees keys which open the doors of the
                                      rooms that they are supposed to enter, but each key is limited (it
                                      does not give access to all rooms); furthermore, the keys
                                      self-destruct after a few hours.



                                      To some extent, authorization can be abused into some
                                      pseudo-authentication, on the basis that if entity A obtains from B an
                                      access key through OAuth, and shows it to server S, then server S may
                                      infer that B authenticated A before granting the access key. So some
                                      people use OAuth where they should be using OpenID. This schema may or
                                      may not be enlightening; but I think this pseudo-authentication is
                                      more confusing than anything. OpenID Connect does just that: it abuses
                                      OAuth into an authentication protocol. In the hotel analogy: if I
                                      encounter a purported employee and that person shows me that he has a
                                      key which opens my room, then I suppose that this is a true employee,
                                      on the basis that the key master would not have given him a key which
                                      opens my room if he was not.




                                      (source)




                                      How is OpenID Connect different than OpenID 2.0?



                                      OpenID Connect performs many of the same tasks as OpenID 2.0, but does
                                      so in a way that is API-friendly, and usable by native and mobile
                                      applications. OpenID Connect defines optional mechanisms for robust
                                      signing and encryption. Whereas integration of OAuth 1.0a and OpenID
                                      2.0 required an extension, in OpenID Connect, OAuth 2.0 capabilities are integrated with the protocol itself.




                                      (source)




                                      OpenID connect will give you an access token plus an id token. The id
                                      token is a JWT and contains information about the authenticated user.
                                      It is signed by the identity provider and can be read and verified
                                      without accessing the identity provider.



                                      In addition, OpenID connect standardizes quite a couple things that
                                      oauth2 leaves up to choice. for instance scopes, endpoint discovery,
                                      and dynamic registration of clients.



                                      This makes it easier to write code that lets the user choose between
                                      multiple identity providers.




                                      (source)



                                      Google's OAuth 2.0




                                      Google's OAuth 2.0 APIs can be used for both authentication and
                                      authorization. This document describes our OAuth 2.0 implementation
                                      for authentication, which conforms to the OpenID Connect
                                      specification, and is OpenID Certified. The documentation found in
                                      Using OAuth 2.0 to Access Google APIs also applies to this service. If
                                      you want to explore this protocol interactively, we recommend the
                                      Google OAuth 2.0 Playground.




                                      (source)






                                      share|improve this answer















                                      The explanation of the difference between OpenID, OAuth, OpenID Connect:




                                      OpenID is a protocol for authentication while OAuth is for
                                      authorization. Authentication is about making sure that the guy you
                                      are talking to is indeed who he claims to be. Authorization is about
                                      deciding what that guy should be allowed to do.



                                      In OpenID, authentication is delegated: server A wants to authenticate
                                      user U, but U's credentials (e.g. U's name and password) are sent to
                                      another server, B, that A trusts (at least, trusts for authenticating
                                      users). Indeed, server B makes sure that U is indeed U, and then tells
                                      to A: "ok, that's the genuine U".



                                      In OAuth, authorization is delegated: entity A obtains from entity B
                                      an "access right" which A can show to server S to be granted access; B
                                      can thus deliver temporary, specific access keys to A without giving
                                      them too much power. You can imagine an OAuth server as the key master
                                      in a big hotel; he gives to employees keys which open the doors of the
                                      rooms that they are supposed to enter, but each key is limited (it
                                      does not give access to all rooms); furthermore, the keys
                                      self-destruct after a few hours.



                                      To some extent, authorization can be abused into some
                                      pseudo-authentication, on the basis that if entity A obtains from B an
                                      access key through OAuth, and shows it to server S, then server S may
                                      infer that B authenticated A before granting the access key. So some
                                      people use OAuth where they should be using OpenID. This schema may or
                                      may not be enlightening; but I think this pseudo-authentication is
                                      more confusing than anything. OpenID Connect does just that: it abuses
                                      OAuth into an authentication protocol. In the hotel analogy: if I
                                      encounter a purported employee and that person shows me that he has a
                                      key which opens my room, then I suppose that this is a true employee,
                                      on the basis that the key master would not have given him a key which
                                      opens my room if he was not.




                                      (source)




                                      How is OpenID Connect different than OpenID 2.0?



                                      OpenID Connect performs many of the same tasks as OpenID 2.0, but does
                                      so in a way that is API-friendly, and usable by native and mobile
                                      applications. OpenID Connect defines optional mechanisms for robust
                                      signing and encryption. Whereas integration of OAuth 1.0a and OpenID
                                      2.0 required an extension, in OpenID Connect, OAuth 2.0 capabilities are integrated with the protocol itself.




                                      (source)




                                      OpenID connect will give you an access token plus an id token. The id
                                      token is a JWT and contains information about the authenticated user.
                                      It is signed by the identity provider and can be read and verified
                                      without accessing the identity provider.



                                      In addition, OpenID connect standardizes quite a couple things that
                                      oauth2 leaves up to choice. for instance scopes, endpoint discovery,
                                      and dynamic registration of clients.



                                      This makes it easier to write code that lets the user choose between
                                      multiple identity providers.




                                      (source)



                                      Google's OAuth 2.0




                                      Google's OAuth 2.0 APIs can be used for both authentication and
                                      authorization. This document describes our OAuth 2.0 implementation
                                      for authentication, which conforms to the OpenID Connect
                                      specification, and is OpenID Certified. The documentation found in
                                      Using OAuth 2.0 to Access Google APIs also applies to this service. If
                                      you want to explore this protocol interactively, we recommend the
                                      Google OAuth 2.0 Playground.




                                      (source)







                                      share|improve this answer














                                      share|improve this answer



                                      share|improve this answer








                                      edited Mar 17 '17 at 10:45









                                      Community

                                      11 silver badge




                                      11 silver badge










                                      answered Oct 30 '16 at 20:38









                                      artamonovdevartamonovdev

                                      2,5001 gold badge17 silver badges29 bronze badges




                                      2,5001 gold badge17 silver badges29 bronze badges










                                      • 2





                                        Nice Explanation. +1 for that.

                                        – Ataur Rahman Munna
                                        Aug 27 '17 at 6:57













                                      • 2





                                        Nice Explanation. +1 for that.

                                        – Ataur Rahman Munna
                                        Aug 27 '17 at 6:57








                                      2




                                      2





                                      Nice Explanation. +1 for that.

                                      – Ataur Rahman Munna
                                      Aug 27 '17 at 6:57






                                      Nice Explanation. +1 for that.

                                      – Ataur Rahman Munna
                                      Aug 27 '17 at 6:57












                                      11














                                      More an extension to the question than an answer, but it may add some perspective to the great technical answers above. I'm an experienced programmer in a number of areas, but a total noob to programming for the web. Now trying to build a web-based application using Zend Framework.



                                      Definitely will implement an application-specific basic username/password authentication interface, but recognize that for a growing number of users the thought of yet another username and password is a deterrent. While not exactly social networking, I know that a very large percentage of the application's potential users already have facebook or twitter accounts. The application doesn't really want or need to access information about the user's account from those sites, it just wants to offer the convenience of not requiring the user to set up new account credentials if they don't want to. From a functionality point of view, that would seem a poster child for OpenID. But it seems that neither facebook nor twitter are OpenID providers as such, though they do support OAuth authentication to access their user's data.



                                      In all the articles I've read about the two and how they differ, it wan't until I saw Karl Anderson's observation above, that "OAuth can be used for authentication, which can be thought of as a no-op authorization" that I saw any explicit confirmation that OAuth was good enough for what I wanted to do.



                                      In fact, when I went to post this "answer", not being a member at the time, I looked long and hard at the bottom of this page at the options for identifying myself. The option for using an OpenID login or obtaining one if I didn't have one, but nothing about twitter or facebook, seemed to suggest that OAuth wasn't adequate for the job. But then I opened another window and looked for the general signup process for stackoverflow - and lo and behold there's a slew of 3rd-party authentication options including facebook and twitter. In the end I decided to use my google id (which is an OpenID) for exactly the reason that I didn't want to grant stackoverflow access to my friends list and anything else facebook likes to share about its users - but at least it's a proof point that OAuth is adequate for the use I had in mind.



                                      It would really be great if someone could either post info or pointers to info about supporting this kind of multiple 3rd-part authorization setup, and how you deal with users that revoke authorization or lose access to their 3rd party site. I also get the impression that my username here identifies a unique stackoverflow account that I could access with basic authentication if I wanted to set it up, and also access this same account through other 3rd-party authenticators (e.g. so that I would be considered logged in to stackoverflow if I was logged in to any of google, facebook, or twitter...). Since this site is doing it, somebody here probably has some pretty good insight on the subject. :-)



                                      Sorry this was so long, and more a question than an answer - but Karl's remark made it seem like the most appropriate place to post amidst the volume of threads on OAuth and OpenID. If there's a better place for this that I didn't find, I apologize in advance, I did try.






                                      share|improve this answer































                                        11














                                        More an extension to the question than an answer, but it may add some perspective to the great technical answers above. I'm an experienced programmer in a number of areas, but a total noob to programming for the web. Now trying to build a web-based application using Zend Framework.



                                        Definitely will implement an application-specific basic username/password authentication interface, but recognize that for a growing number of users the thought of yet another username and password is a deterrent. While not exactly social networking, I know that a very large percentage of the application's potential users already have facebook or twitter accounts. The application doesn't really want or need to access information about the user's account from those sites, it just wants to offer the convenience of not requiring the user to set up new account credentials if they don't want to. From a functionality point of view, that would seem a poster child for OpenID. But it seems that neither facebook nor twitter are OpenID providers as such, though they do support OAuth authentication to access their user's data.



                                        In all the articles I've read about the two and how they differ, it wan't until I saw Karl Anderson's observation above, that "OAuth can be used for authentication, which can be thought of as a no-op authorization" that I saw any explicit confirmation that OAuth was good enough for what I wanted to do.



                                        In fact, when I went to post this "answer", not being a member at the time, I looked long and hard at the bottom of this page at the options for identifying myself. The option for using an OpenID login or obtaining one if I didn't have one, but nothing about twitter or facebook, seemed to suggest that OAuth wasn't adequate for the job. But then I opened another window and looked for the general signup process for stackoverflow - and lo and behold there's a slew of 3rd-party authentication options including facebook and twitter. In the end I decided to use my google id (which is an OpenID) for exactly the reason that I didn't want to grant stackoverflow access to my friends list and anything else facebook likes to share about its users - but at least it's a proof point that OAuth is adequate for the use I had in mind.



                                        It would really be great if someone could either post info or pointers to info about supporting this kind of multiple 3rd-part authorization setup, and how you deal with users that revoke authorization or lose access to their 3rd party site. I also get the impression that my username here identifies a unique stackoverflow account that I could access with basic authentication if I wanted to set it up, and also access this same account through other 3rd-party authenticators (e.g. so that I would be considered logged in to stackoverflow if I was logged in to any of google, facebook, or twitter...). Since this site is doing it, somebody here probably has some pretty good insight on the subject. :-)



                                        Sorry this was so long, and more a question than an answer - but Karl's remark made it seem like the most appropriate place to post amidst the volume of threads on OAuth and OpenID. If there's a better place for this that I didn't find, I apologize in advance, I did try.






                                        share|improve this answer





























                                          11












                                          11








                                          11







                                          More an extension to the question than an answer, but it may add some perspective to the great technical answers above. I'm an experienced programmer in a number of areas, but a total noob to programming for the web. Now trying to build a web-based application using Zend Framework.



                                          Definitely will implement an application-specific basic username/password authentication interface, but recognize that for a growing number of users the thought of yet another username and password is a deterrent. While not exactly social networking, I know that a very large percentage of the application's potential users already have facebook or twitter accounts. The application doesn't really want or need to access information about the user's account from those sites, it just wants to offer the convenience of not requiring the user to set up new account credentials if they don't want to. From a functionality point of view, that would seem a poster child for OpenID. But it seems that neither facebook nor twitter are OpenID providers as such, though they do support OAuth authentication to access their user's data.



                                          In all the articles I've read about the two and how they differ, it wan't until I saw Karl Anderson's observation above, that "OAuth can be used for authentication, which can be thought of as a no-op authorization" that I saw any explicit confirmation that OAuth was good enough for what I wanted to do.



                                          In fact, when I went to post this "answer", not being a member at the time, I looked long and hard at the bottom of this page at the options for identifying myself. The option for using an OpenID login or obtaining one if I didn't have one, but nothing about twitter or facebook, seemed to suggest that OAuth wasn't adequate for the job. But then I opened another window and looked for the general signup process for stackoverflow - and lo and behold there's a slew of 3rd-party authentication options including facebook and twitter. In the end I decided to use my google id (which is an OpenID) for exactly the reason that I didn't want to grant stackoverflow access to my friends list and anything else facebook likes to share about its users - but at least it's a proof point that OAuth is adequate for the use I had in mind.



                                          It would really be great if someone could either post info or pointers to info about supporting this kind of multiple 3rd-part authorization setup, and how you deal with users that revoke authorization or lose access to their 3rd party site. I also get the impression that my username here identifies a unique stackoverflow account that I could access with basic authentication if I wanted to set it up, and also access this same account through other 3rd-party authenticators (e.g. so that I would be considered logged in to stackoverflow if I was logged in to any of google, facebook, or twitter...). Since this site is doing it, somebody here probably has some pretty good insight on the subject. :-)



                                          Sorry this was so long, and more a question than an answer - but Karl's remark made it seem like the most appropriate place to post amidst the volume of threads on OAuth and OpenID. If there's a better place for this that I didn't find, I apologize in advance, I did try.






                                          share|improve this answer















                                          More an extension to the question than an answer, but it may add some perspective to the great technical answers above. I'm an experienced programmer in a number of areas, but a total noob to programming for the web. Now trying to build a web-based application using Zend Framework.



                                          Definitely will implement an application-specific basic username/password authentication interface, but recognize that for a growing number of users the thought of yet another username and password is a deterrent. While not exactly social networking, I know that a very large percentage of the application's potential users already have facebook or twitter accounts. The application doesn't really want or need to access information about the user's account from those sites, it just wants to offer the convenience of not requiring the user to set up new account credentials if they don't want to. From a functionality point of view, that would seem a poster child for OpenID. But it seems that neither facebook nor twitter are OpenID providers as such, though they do support OAuth authentication to access their user's data.



                                          In all the articles I've read about the two and how they differ, it wan't until I saw Karl Anderson's observation above, that "OAuth can be used for authentication, which can be thought of as a no-op authorization" that I saw any explicit confirmation that OAuth was good enough for what I wanted to do.



                                          In fact, when I went to post this "answer", not being a member at the time, I looked long and hard at the bottom of this page at the options for identifying myself. The option for using an OpenID login or obtaining one if I didn't have one, but nothing about twitter or facebook, seemed to suggest that OAuth wasn't adequate for the job. But then I opened another window and looked for the general signup process for stackoverflow - and lo and behold there's a slew of 3rd-party authentication options including facebook and twitter. In the end I decided to use my google id (which is an OpenID) for exactly the reason that I didn't want to grant stackoverflow access to my friends list and anything else facebook likes to share about its users - but at least it's a proof point that OAuth is adequate for the use I had in mind.



                                          It would really be great if someone could either post info or pointers to info about supporting this kind of multiple 3rd-part authorization setup, and how you deal with users that revoke authorization or lose access to their 3rd party site. I also get the impression that my username here identifies a unique stackoverflow account that I could access with basic authentication if I wanted to set it up, and also access this same account through other 3rd-party authenticators (e.g. so that I would be considered logged in to stackoverflow if I was logged in to any of google, facebook, or twitter...). Since this site is doing it, somebody here probably has some pretty good insight on the subject. :-)



                                          Sorry this was so long, and more a question than an answer - but Karl's remark made it seem like the most appropriate place to post amidst the volume of threads on OAuth and OpenID. If there's a better place for this that I didn't find, I apologize in advance, I did try.







                                          share|improve this answer














                                          share|improve this answer



                                          share|improve this answer








                                          edited Oct 6 '10 at 6:46

























                                          answered Oct 6 '10 at 6:41









                                          sootsnootsootsnoot

                                          1,3453 gold badges16 silver badges22 bronze badges




                                          1,3453 gold badges16 silver badges22 bronze badges
























                                              9















                                              • OpenID is an open standard and decentralized authentication protocol controlled by the OpenID Foundation.


                                              • OAuth is an open standard for access delegation.


                                              • OpenID Connect (OIDC) Combines the features of OpenID and OAuth i.e. does both Authentication and Authorization.

                                              OpenID take the form of a unique URI managed by some "OpenID provider" i.e identity provider (idP).



                                              OAuth can be used in conjunction with XACML where OAuth is used for ownership consent and access delegation whereas XACML is used to define the authorization policies.



                                              OIDC uses simple JSON Web Tokens (JWT), which you can obtain using flows conforming to the OAuth 2.0 specifications. OAuth is directly related to OIDC since OIDC is an authentication layer built on top of OAuth 2.0.



                                              enter image description here



                                              For example, if you chose to sign in to Auth0 using your Google account then you used OIDC. Once you successfully authenticate with Google and authorize Auth0 to access your information, Google will send back to Auth0 information about the user and the authentication performed. This information is returned in a JSON Web Token (JWT). You'll receive an Access Token and, if requested, an ID Token. Types of Token : Source: OpenID Connect



                                              Analogy:

                                              An Organisation use ID card for identification purpose and it contains chips, it stores details about Employee along with Authorization i.e. Campus/Gate/ODC access. ID Card act as a OIDC and Chip act as a OAuth. more examples and form wiki






                                              share|improve this answer































                                                9















                                                • OpenID is an open standard and decentralized authentication protocol controlled by the OpenID Foundation.


                                                • OAuth is an open standard for access delegation.


                                                • OpenID Connect (OIDC) Combines the features of OpenID and OAuth i.e. does both Authentication and Authorization.

                                                OpenID take the form of a unique URI managed by some "OpenID provider" i.e identity provider (idP).



                                                OAuth can be used in conjunction with XACML where OAuth is used for ownership consent and access delegation whereas XACML is used to define the authorization policies.



                                                OIDC uses simple JSON Web Tokens (JWT), which you can obtain using flows conforming to the OAuth 2.0 specifications. OAuth is directly related to OIDC since OIDC is an authentication layer built on top of OAuth 2.0.



                                                enter image description here



                                                For example, if you chose to sign in to Auth0 using your Google account then you used OIDC. Once you successfully authenticate with Google and authorize Auth0 to access your information, Google will send back to Auth0 information about the user and the authentication performed. This information is returned in a JSON Web Token (JWT). You'll receive an Access Token and, if requested, an ID Token. Types of Token : Source: OpenID Connect



                                                Analogy:

                                                An Organisation use ID card for identification purpose and it contains chips, it stores details about Employee along with Authorization i.e. Campus/Gate/ODC access. ID Card act as a OIDC and Chip act as a OAuth. more examples and form wiki






                                                share|improve this answer





























                                                  9












                                                  9








                                                  9








                                                  • OpenID is an open standard and decentralized authentication protocol controlled by the OpenID Foundation.


                                                  • OAuth is an open standard for access delegation.


                                                  • OpenID Connect (OIDC) Combines the features of OpenID and OAuth i.e. does both Authentication and Authorization.

                                                  OpenID take the form of a unique URI managed by some "OpenID provider" i.e identity provider (idP).



                                                  OAuth can be used in conjunction with XACML where OAuth is used for ownership consent and access delegation whereas XACML is used to define the authorization policies.



                                                  OIDC uses simple JSON Web Tokens (JWT), which you can obtain using flows conforming to the OAuth 2.0 specifications. OAuth is directly related to OIDC since OIDC is an authentication layer built on top of OAuth 2.0.



                                                  enter image description here



                                                  For example, if you chose to sign in to Auth0 using your Google account then you used OIDC. Once you successfully authenticate with Google and authorize Auth0 to access your information, Google will send back to Auth0 information about the user and the authentication performed. This information is returned in a JSON Web Token (JWT). You'll receive an Access Token and, if requested, an ID Token. Types of Token : Source: OpenID Connect



                                                  Analogy:

                                                  An Organisation use ID card for identification purpose and it contains chips, it stores details about Employee along with Authorization i.e. Campus/Gate/ODC access. ID Card act as a OIDC and Chip act as a OAuth. more examples and form wiki






                                                  share|improve this answer
















                                                  • OpenID is an open standard and decentralized authentication protocol controlled by the OpenID Foundation.


                                                  • OAuth is an open standard for access delegation.


                                                  • OpenID Connect (OIDC) Combines the features of OpenID and OAuth i.e. does both Authentication and Authorization.

                                                  OpenID take the form of a unique URI managed by some "OpenID provider" i.e identity provider (idP).



                                                  OAuth can be used in conjunction with XACML where OAuth is used for ownership consent and access delegation whereas XACML is used to define the authorization policies.



                                                  OIDC uses simple JSON Web Tokens (JWT), which you can obtain using flows conforming to the OAuth 2.0 specifications. OAuth is directly related to OIDC since OIDC is an authentication layer built on top of OAuth 2.0.



                                                  enter image description here



                                                  For example, if you chose to sign in to Auth0 using your Google account then you used OIDC. Once you successfully authenticate with Google and authorize Auth0 to access your information, Google will send back to Auth0 information about the user and the authentication performed. This information is returned in a JSON Web Token (JWT). You'll receive an Access Token and, if requested, an ID Token. Types of Token : Source: OpenID Connect



                                                  Analogy:

                                                  An Organisation use ID card for identification purpose and it contains chips, it stores details about Employee along with Authorization i.e. Campus/Gate/ODC access. ID Card act as a OIDC and Chip act as a OAuth. more examples and form wiki







                                                  share|improve this answer














                                                  share|improve this answer



                                                  share|improve this answer








                                                  edited Mar 27 at 1:11

























                                                  answered Jul 26 '18 at 1:38









                                                  PremrajPremraj

                                                  36.1k17 gold badges173 silver badges125 bronze badges




                                                  36.1k17 gold badges173 silver badges125 bronze badges
























                                                      3














                                                      OpenID proves who you are.



                                                      OAuth grants access to the features provided by the authorizing party.






                                                      share|improve this answer






















                                                      • 1





                                                        OAuth: before granting access to some feature, authentication must be done, right ?. so OAuth = what OpenId does + grants access to some features ?

                                                        – Hassan Tareq
                                                        Jun 21 '17 at 1:57















                                                      3














                                                      OpenID proves who you are.



                                                      OAuth grants access to the features provided by the authorizing party.






                                                      share|improve this answer






















                                                      • 1





                                                        OAuth: before granting access to some feature, authentication must be done, right ?. so OAuth = what OpenId does + grants access to some features ?

                                                        – Hassan Tareq
                                                        Jun 21 '17 at 1:57













                                                      3












                                                      3








                                                      3







                                                      OpenID proves who you are.



                                                      OAuth grants access to the features provided by the authorizing party.






                                                      share|improve this answer















                                                      OpenID proves who you are.



                                                      OAuth grants access to the features provided by the authorizing party.







                                                      share|improve this answer














                                                      share|improve this answer



                                                      share|improve this answer








                                                      edited Jul 25 '18 at 12:49









                                                      Berkant

                                                      3643 silver badges12 bronze badges




                                                      3643 silver badges12 bronze badges










                                                      answered Dec 26 '15 at 11:41









                                                      Fiery Wolf - LeviFiery Wolf - Levi

                                                      312 bronze badges




                                                      312 bronze badges










                                                      • 1





                                                        OAuth: before granting access to some feature, authentication must be done, right ?. so OAuth = what OpenId does + grants access to some features ?

                                                        – Hassan Tareq
                                                        Jun 21 '17 at 1:57












                                                      • 1





                                                        OAuth: before granting access to some feature, authentication must be done, right ?. so OAuth = what OpenId does + grants access to some features ?

                                                        – Hassan Tareq
                                                        Jun 21 '17 at 1:57







                                                      1




                                                      1





                                                      OAuth: before granting access to some feature, authentication must be done, right ?. so OAuth = what OpenId does + grants access to some features ?

                                                      – Hassan Tareq
                                                      Jun 21 '17 at 1:57





                                                      OAuth: before granting access to some feature, authentication must be done, right ?. so OAuth = what OpenId does + grants access to some features ?

                                                      – Hassan Tareq
                                                      Jun 21 '17 at 1:57











                                                      1














                                                      I am currently working on OAuth 2.0 and OpenID connect spec. So here is my understanding:
                                                      Earlier they were:



                                                      1. OpenID was proprietary implementation of Google allowing third party applications like for newspaper websites you can login using google and comment on an article and so on other usecases. So essentially, no password sharing to newspaper website. Let me put up a definition here, this approach in enterprise approach is called Federation. In Federation, You have a server where you authenticate and authorize (called IDP, Identity Provider) and generally the keeper of User credentials. the client application where you have business is called SP or Service Provider. If we go back to same newspaper website example then newspaper website is SP here and Google is IDP. In enterprise this problem was earlier solved using SAML. that time XML used to rule the software industry. So from webservices to configuration, everything used to go to XML so we have SAML, a complete Federation protocol


                                                      2. OAuth: OAuth saw it's emergence as an standard looking at all these kind of proprietary approaches and so we had OAuth 1.o as standard but addressing only authorization. Not many people noticed but it kind of started picking up. Then we had OAuth 2.0 in 2012. CTOs, Architects really started paying attention as world is moving towards Cloud computing and with computing devices moving towards mobile and other such devices. OAuth kind of looked upon as solving major problem where software customers might give IDP Service to one company and have many services from different vendors like salesforce, SAP, etc. So integration here really looks like federation scenario bit one big problem, using SAML is costly so let's explore OAuth 2.o. Ohh, missed one important point that during this time, Google sensed that OAuth actually doesn't address Authentication, how will IDP give user data to SP (which is actually wonderfully addressed in SAML) and with other loose ends like:



                                                        a. OAuth 2.o doesn't clearly say, how client registration will happen
                                                        b. it doesn't mention anything about the interaction between SP (Resource Server) and client application (like Analytics Server providing data is Resource Server and application displaying that data is Client)



                                                      There are already wonderful answers given here technically, I thought of giving of giving brief evolution perspective






                                                      share|improve this answer































                                                        1














                                                        I am currently working on OAuth 2.0 and OpenID connect spec. So here is my understanding:
                                                        Earlier they were:



                                                        1. OpenID was proprietary implementation of Google allowing third party applications like for newspaper websites you can login using google and comment on an article and so on other usecases. So essentially, no password sharing to newspaper website. Let me put up a definition here, this approach in enterprise approach is called Federation. In Federation, You have a server where you authenticate and authorize (called IDP, Identity Provider) and generally the keeper of User credentials. the client application where you have business is called SP or Service Provider. If we go back to same newspaper website example then newspaper website is SP here and Google is IDP. In enterprise this problem was earlier solved using SAML. that time XML used to rule the software industry. So from webservices to configuration, everything used to go to XML so we have SAML, a complete Federation protocol


                                                        2. OAuth: OAuth saw it's emergence as an standard looking at all these kind of proprietary approaches and so we had OAuth 1.o as standard but addressing only authorization. Not many people noticed but it kind of started picking up. Then we had OAuth 2.0 in 2012. CTOs, Architects really started paying attention as world is moving towards Cloud computing and with computing devices moving towards mobile and other such devices. OAuth kind of looked upon as solving major problem where software customers might give IDP Service to one company and have many services from different vendors like salesforce, SAP, etc. So integration here really looks like federation scenario bit one big problem, using SAML is costly so let's explore OAuth 2.o. Ohh, missed one important point that during this time, Google sensed that OAuth actually doesn't address Authentication, how will IDP give user data to SP (which is actually wonderfully addressed in SAML) and with other loose ends like:



                                                          a. OAuth 2.o doesn't clearly say, how client registration will happen
                                                          b. it doesn't mention anything about the interaction between SP (Resource Server) and client application (like Analytics Server providing data is Resource Server and application displaying that data is Client)



                                                        There are already wonderful answers given here technically, I thought of giving of giving brief evolution perspective






                                                        share|improve this answer





























                                                          1












                                                          1








                                                          1







                                                          I am currently working on OAuth 2.0 and OpenID connect spec. So here is my understanding:
                                                          Earlier they were:



                                                          1. OpenID was proprietary implementation of Google allowing third party applications like for newspaper websites you can login using google and comment on an article and so on other usecases. So essentially, no password sharing to newspaper website. Let me put up a definition here, this approach in enterprise approach is called Federation. In Federation, You have a server where you authenticate and authorize (called IDP, Identity Provider) and generally the keeper of User credentials. the client application where you have business is called SP or Service Provider. If we go back to same newspaper website example then newspaper website is SP here and Google is IDP. In enterprise this problem was earlier solved using SAML. that time XML used to rule the software industry. So from webservices to configuration, everything used to go to XML so we have SAML, a complete Federation protocol


                                                          2. OAuth: OAuth saw it's emergence as an standard looking at all these kind of proprietary approaches and so we had OAuth 1.o as standard but addressing only authorization. Not many people noticed but it kind of started picking up. Then we had OAuth 2.0 in 2012. CTOs, Architects really started paying attention as world is moving towards Cloud computing and with computing devices moving towards mobile and other such devices. OAuth kind of looked upon as solving major problem where software customers might give IDP Service to one company and have many services from different vendors like salesforce, SAP, etc. So integration here really looks like federation scenario bit one big problem, using SAML is costly so let's explore OAuth 2.o. Ohh, missed one important point that during this time, Google sensed that OAuth actually doesn't address Authentication, how will IDP give user data to SP (which is actually wonderfully addressed in SAML) and with other loose ends like:



                                                            a. OAuth 2.o doesn't clearly say, how client registration will happen
                                                            b. it doesn't mention anything about the interaction between SP (Resource Server) and client application (like Analytics Server providing data is Resource Server and application displaying that data is Client)



                                                          There are already wonderful answers given here technically, I thought of giving of giving brief evolution perspective






                                                          share|improve this answer















                                                          I am currently working on OAuth 2.0 and OpenID connect spec. So here is my understanding:
                                                          Earlier they were:



                                                          1. OpenID was proprietary implementation of Google allowing third party applications like for newspaper websites you can login using google and comment on an article and so on other usecases. So essentially, no password sharing to newspaper website. Let me put up a definition here, this approach in enterprise approach is called Federation. In Federation, You have a server where you authenticate and authorize (called IDP, Identity Provider) and generally the keeper of User credentials. the client application where you have business is called SP or Service Provider. If we go back to same newspaper website example then newspaper website is SP here and Google is IDP. In enterprise this problem was earlier solved using SAML. that time XML used to rule the software industry. So from webservices to configuration, everything used to go to XML so we have SAML, a complete Federation protocol


                                                          2. OAuth: OAuth saw it's emergence as an standard looking at all these kind of proprietary approaches and so we had OAuth 1.o as standard but addressing only authorization. Not many people noticed but it kind of started picking up. Then we had OAuth 2.0 in 2012. CTOs, Architects really started paying attention as world is moving towards Cloud computing and with computing devices moving towards mobile and other such devices. OAuth kind of looked upon as solving major problem where software customers might give IDP Service to one company and have many services from different vendors like salesforce, SAP, etc. So integration here really looks like federation scenario bit one big problem, using SAML is costly so let's explore OAuth 2.o. Ohh, missed one important point that during this time, Google sensed that OAuth actually doesn't address Authentication, how will IDP give user data to SP (which is actually wonderfully addressed in SAML) and with other loose ends like:



                                                            a. OAuth 2.o doesn't clearly say, how client registration will happen
                                                            b. it doesn't mention anything about the interaction between SP (Resource Server) and client application (like Analytics Server providing data is Resource Server and application displaying that data is Client)



                                                          There are already wonderful answers given here technically, I thought of giving of giving brief evolution perspective







                                                          share|improve this answer














                                                          share|improve this answer



                                                          share|improve this answer








                                                          edited Aug 27 '17 at 19:24

























                                                          answered Mar 16 '17 at 19:16









                                                          dvsakgecdvsakgec

                                                          9991 gold badge13 silver badges21 bronze badges




                                                          9991 gold badge13 silver badges21 bronze badges
























                                                              0














                                                              OpenId uses OAuth to deal with authentication.



                                                              By analogy, it's like .NET relies on Windows API. You could directly call Windows API but it's so wide, complex and method arguments so vast, you could easily make mistakes/bugs/security issue.



                                                              Same with OpenId/OAuth. OpenId relies on OAuth to manage Authentication but defining a specific Token (Id_token), digital signature and particular flows.






                                                              share|improve this answer





























                                                                0














                                                                OpenId uses OAuth to deal with authentication.



                                                                By analogy, it's like .NET relies on Windows API. You could directly call Windows API but it's so wide, complex and method arguments so vast, you could easily make mistakes/bugs/security issue.



                                                                Same with OpenId/OAuth. OpenId relies on OAuth to manage Authentication but defining a specific Token (Id_token), digital signature and particular flows.






                                                                share|improve this answer



























                                                                  0












                                                                  0








                                                                  0







                                                                  OpenId uses OAuth to deal with authentication.



                                                                  By analogy, it's like .NET relies on Windows API. You could directly call Windows API but it's so wide, complex and method arguments so vast, you could easily make mistakes/bugs/security issue.



                                                                  Same with OpenId/OAuth. OpenId relies on OAuth to manage Authentication but defining a specific Token (Id_token), digital signature and particular flows.






                                                                  share|improve this answer













                                                                  OpenId uses OAuth to deal with authentication.



                                                                  By analogy, it's like .NET relies on Windows API. You could directly call Windows API but it's so wide, complex and method arguments so vast, you could easily make mistakes/bugs/security issue.



                                                                  Same with OpenId/OAuth. OpenId relies on OAuth to manage Authentication but defining a specific Token (Id_token), digital signature and particular flows.







                                                                  share|improve this answer












                                                                  share|improve this answer



                                                                  share|improve this answer










                                                                  answered Aug 27 '17 at 12:52









                                                                  JeromeJerome

                                                                  32 bronze badges




                                                                  32 bronze badges
























                                                                      0














                                                                      I'd like to address a particular aspect of this question, as captured in this comment:




                                                                      OAuth: before granting access to some feature, authentication must be done, right ?. so OAuth = what OpenId does + grants access to some features ? – Hassan Makarov Jun 21 at 1:57




                                                                      Yes... and no. The answer is subtle, so bear with me.



                                                                      When the OAuth flow redirects you to a target service (the OAuth provider, that is), it is likely that you'll need to authenticate with that service before a token will be handed back to the client application/service. The resulting token then allows the client app to make requests on behalf of a given user.



                                                                      Note the generality of that last sentence: specifically, I wrote "on behalf of a given user", not "on behalf of you". It's a common error to assume that "having a capability to interact with a resource owned by a given user" implies "you and the owner of the target resource(s) are one in the same".



                                                                      Don't make this mistake.



                                                                      While it's true that you authenticate with the OAuth provider (say, by user name and password, or maybe SSL client certs, or some other means), what the client gets in return should not necessarily be taken as proof of identity. An example would be a flow in which access to another user's resources was delegated to you (and by proxy, the OAuth client). Authorization does not imply authentication.



                                                                      To handle authentication, you'll likely want to look into OpenID Connect, which is essentially another layer on top of the foundation set by OAuth 2.0. Here's a quote that captures (in my opinion) the most salient points regarding OpenID Connect (from https://oauth.net/articles/authentication/):




                                                                      OpenID Connect is an open standard published in early 2014 that defines an interoperable way to use OAuth 2.0 to perform user authentication. In essence, it is a widely published recipe for chocolate fudge that has been tried and tested by a wide number and variety of experts. Instead of building a different protocol to each potential identity provider, an application can speak one protocol to as many providers as they want to work with. Since it's an open standard, OpenID Connect can be implemented by anyone without restriction or intellectual property concerns.



                                                                      OpenID Connect is built directly on OAuth 2.0 and in most cases is deployed right along with (or on top of) an OAuth infrastructure. OpenID Connect also uses the JSON Object Signing And Encryption (JOSE) suite of specifications for carrying signed and encrypted information around in different places. In fact, an OAuth 2.0 deployment with JOSE capabilities is already a long way to defining a fully compliant OpenID Connect system, and the delta between the two is relatively small. But that delta makes a big difference, and OpenID Connect manages to avoid many of the pitfalls discussed above by adding several key components to the OAuth base: [...]




                                                                      The document then goes on to describe (among other things) token IDs and a UserInfo endpoint. The former provides a set of claims (who you are, when the token was issued, etc, and possibly a signature to verify the authenticity of the token via a published public key without having to ask the upstream service), and the latter provides a means of e.g. asking for the user's first/last name, email, and similar bits of info, all in a standardized way (as opposed to the ad-hoc extensions to OAuth that people used before OpenID Connect standardized things).






                                                                      share|improve this answer





























                                                                        0














                                                                        I'd like to address a particular aspect of this question, as captured in this comment:




                                                                        OAuth: before granting access to some feature, authentication must be done, right ?. so OAuth = what OpenId does + grants access to some features ? – Hassan Makarov Jun 21 at 1:57




                                                                        Yes... and no. The answer is subtle, so bear with me.



                                                                        When the OAuth flow redirects you to a target service (the OAuth provider, that is), it is likely that you'll need to authenticate with that service before a token will be handed back to the client application/service. The resulting token then allows the client app to make requests on behalf of a given user.



                                                                        Note the generality of that last sentence: specifically, I wrote "on behalf of a given user", not "on behalf of you". It's a common error to assume that "having a capability to interact with a resource owned by a given user" implies "you and the owner of the target resource(s) are one in the same".



                                                                        Don't make this mistake.



                                                                        While it's true that you authenticate with the OAuth provider (say, by user name and password, or maybe SSL client certs, or some other means), what the client gets in return should not necessarily be taken as proof of identity. An example would be a flow in which access to another user's resources was delegated to you (and by proxy, the OAuth client). Authorization does not imply authentication.



                                                                        To handle authentication, you'll likely want to look into OpenID Connect, which is essentially another layer on top of the foundation set by OAuth 2.0. Here's a quote that captures (in my opinion) the most salient points regarding OpenID Connect (from https://oauth.net/articles/authentication/):




                                                                        OpenID Connect is an open standard published in early 2014 that defines an interoperable way to use OAuth 2.0 to perform user authentication. In essence, it is a widely published recipe for chocolate fudge that has been tried and tested by a wide number and variety of experts. Instead of building a different protocol to each potential identity provider, an application can speak one protocol to as many providers as they want to work with. Since it's an open standard, OpenID Connect can be implemented by anyone without restriction or intellectual property concerns.



                                                                        OpenID Connect is built directly on OAuth 2.0 and in most cases is deployed right along with (or on top of) an OAuth infrastructure. OpenID Connect also uses the JSON Object Signing And Encryption (JOSE) suite of specifications for carrying signed and encrypted information around in different places. In fact, an OAuth 2.0 deployment with JOSE capabilities is already a long way to defining a fully compliant OpenID Connect system, and the delta between the two is relatively small. But that delta makes a big difference, and OpenID Connect manages to avoid many of the pitfalls discussed above by adding several key components to the OAuth base: [...]




                                                                        The document then goes on to describe (among other things) token IDs and a UserInfo endpoint. The former provides a set of claims (who you are, when the token was issued, etc, and possibly a signature to verify the authenticity of the token via a published public key without having to ask the upstream service), and the latter provides a means of e.g. asking for the user's first/last name, email, and similar bits of info, all in a standardized way (as opposed to the ad-hoc extensions to OAuth that people used before OpenID Connect standardized things).






                                                                        share|improve this answer



























                                                                          0












                                                                          0








                                                                          0







                                                                          I'd like to address a particular aspect of this question, as captured in this comment:




                                                                          OAuth: before granting access to some feature, authentication must be done, right ?. so OAuth = what OpenId does + grants access to some features ? – Hassan Makarov Jun 21 at 1:57




                                                                          Yes... and no. The answer is subtle, so bear with me.



                                                                          When the OAuth flow redirects you to a target service (the OAuth provider, that is), it is likely that you'll need to authenticate with that service before a token will be handed back to the client application/service. The resulting token then allows the client app to make requests on behalf of a given user.



                                                                          Note the generality of that last sentence: specifically, I wrote "on behalf of a given user", not "on behalf of you". It's a common error to assume that "having a capability to interact with a resource owned by a given user" implies "you and the owner of the target resource(s) are one in the same".



                                                                          Don't make this mistake.



                                                                          While it's true that you authenticate with the OAuth provider (say, by user name and password, or maybe SSL client certs, or some other means), what the client gets in return should not necessarily be taken as proof of identity. An example would be a flow in which access to another user's resources was delegated to you (and by proxy, the OAuth client). Authorization does not imply authentication.



                                                                          To handle authentication, you'll likely want to look into OpenID Connect, which is essentially another layer on top of the foundation set by OAuth 2.0. Here's a quote that captures (in my opinion) the most salient points regarding OpenID Connect (from https://oauth.net/articles/authentication/):




                                                                          OpenID Connect is an open standard published in early 2014 that defines an interoperable way to use OAuth 2.0 to perform user authentication. In essence, it is a widely published recipe for chocolate fudge that has been tried and tested by a wide number and variety of experts. Instead of building a different protocol to each potential identity provider, an application can speak one protocol to as many providers as they want to work with. Since it's an open standard, OpenID Connect can be implemented by anyone without restriction or intellectual property concerns.



                                                                          OpenID Connect is built directly on OAuth 2.0 and in most cases is deployed right along with (or on top of) an OAuth infrastructure. OpenID Connect also uses the JSON Object Signing And Encryption (JOSE) suite of specifications for carrying signed and encrypted information around in different places. In fact, an OAuth 2.0 deployment with JOSE capabilities is already a long way to defining a fully compliant OpenID Connect system, and the delta between the two is relatively small. But that delta makes a big difference, and OpenID Connect manages to avoid many of the pitfalls discussed above by adding several key components to the OAuth base: [...]




                                                                          The document then goes on to describe (among other things) token IDs and a UserInfo endpoint. The former provides a set of claims (who you are, when the token was issued, etc, and possibly a signature to verify the authenticity of the token via a published public key without having to ask the upstream service), and the latter provides a means of e.g. asking for the user's first/last name, email, and similar bits of info, all in a standardized way (as opposed to the ad-hoc extensions to OAuth that people used before OpenID Connect standardized things).






                                                                          share|improve this answer













                                                                          I'd like to address a particular aspect of this question, as captured in this comment:




                                                                          OAuth: before granting access to some feature, authentication must be done, right ?. so OAuth = what OpenId does + grants access to some features ? – Hassan Makarov Jun 21 at 1:57




                                                                          Yes... and no. The answer is subtle, so bear with me.



                                                                          When the OAuth flow redirects you to a target service (the OAuth provider, that is), it is likely that you'll need to authenticate with that service before a token will be handed back to the client application/service. The resulting token then allows the client app to make requests on behalf of a given user.



                                                                          Note the generality of that last sentence: specifically, I wrote "on behalf of a given user", not "on behalf of you". It's a common error to assume that "having a capability to interact with a resource owned by a given user" implies "you and the owner of the target resource(s) are one in the same".



                                                                          Don't make this mistake.



                                                                          While it's true that you authenticate with the OAuth provider (say, by user name and password, or maybe SSL client certs, or some other means), what the client gets in return should not necessarily be taken as proof of identity. An example would be a flow in which access to another user's resources was delegated to you (and by proxy, the OAuth client). Authorization does not imply authentication.



                                                                          To handle authentication, you'll likely want to look into OpenID Connect, which is essentially another layer on top of the foundation set by OAuth 2.0. Here's a quote that captures (in my opinion) the most salient points regarding OpenID Connect (from https://oauth.net/articles/authentication/):




                                                                          OpenID Connect is an open standard published in early 2014 that defines an interoperable way to use OAuth 2.0 to perform user authentication. In essence, it is a widely published recipe for chocolate fudge that has been tried and tested by a wide number and variety of experts. Instead of building a different protocol to each potential identity provider, an application can speak one protocol to as many providers as they want to work with. Since it's an open standard, OpenID Connect can be implemented by anyone without restriction or intellectual property concerns.



                                                                          OpenID Connect is built directly on OAuth 2.0 and in most cases is deployed right along with (or on top of) an OAuth infrastructure. OpenID Connect also uses the JSON Object Signing And Encryption (JOSE) suite of specifications for carrying signed and encrypted information around in different places. In fact, an OAuth 2.0 deployment with JOSE capabilities is already a long way to defining a fully compliant OpenID Connect system, and the delta between the two is relatively small. But that delta makes a big difference, and OpenID Connect manages to avoid many of the pitfalls discussed above by adding several key components to the OAuth base: [...]




                                                                          The document then goes on to describe (among other things) token IDs and a UserInfo endpoint. The former provides a set of claims (who you are, when the token was issued, etc, and possibly a signature to verify the authenticity of the token via a published public key without having to ask the upstream service), and the latter provides a means of e.g. asking for the user's first/last name, email, and similar bits of info, all in a standardized way (as opposed to the ad-hoc extensions to OAuth that people used before OpenID Connect standardized things).







                                                                          share|improve this answer












                                                                          share|improve this answer



                                                                          share|improve this answer










                                                                          answered Aug 31 '17 at 19:46









                                                                          CharlesCharles

                                                                          4,2314 gold badges42 silver badges64 bronze badges




                                                                          4,2314 gold badges42 silver badges64 bronze badges
























                                                                              0














                                                                              Both protocols were created for different reasons. OAuth was created to authorize third parties to access resources. OpenID was created to perform decentralize identity validation. This website states the following:



                                                                              OAuth is a protocol designed to verify the identity of an end-user and to grant permissions to a third party. This verification results in a token. The third party can use this token to access resources on the user’s behalf. Tokens have a scope. The scope is used to verify whether a resource is accessible to a user, or not



                                                                              OpenID is a protocol used for decentralised authentication. Authentication is about identity; Establishing the user is in fact the person who he claims to be. Decentralising that, means this service is unaware of the existence of any resources or applications that need to be protected. That’s the key difference between OAuth and OpenID.






                                                                              share|improve this answer





























                                                                                0














                                                                                Both protocols were created for different reasons. OAuth was created to authorize third parties to access resources. OpenID was created to perform decentralize identity validation. This website states the following:



                                                                                OAuth is a protocol designed to verify the identity of an end-user and to grant permissions to a third party. This verification results in a token. The third party can use this token to access resources on the user’s behalf. Tokens have a scope. The scope is used to verify whether a resource is accessible to a user, or not



                                                                                OpenID is a protocol used for decentralised authentication. Authentication is about identity; Establishing the user is in fact the person who he claims to be. Decentralising that, means this service is unaware of the existence of any resources or applications that need to be protected. That’s the key difference between OAuth and OpenID.






                                                                                share|improve this answer



























                                                                                  0












                                                                                  0








                                                                                  0







                                                                                  Both protocols were created for different reasons. OAuth was created to authorize third parties to access resources. OpenID was created to perform decentralize identity validation. This website states the following:



                                                                                  OAuth is a protocol designed to verify the identity of an end-user and to grant permissions to a third party. This verification results in a token. The third party can use this token to access resources on the user’s behalf. Tokens have a scope. The scope is used to verify whether a resource is accessible to a user, or not



                                                                                  OpenID is a protocol used for decentralised authentication. Authentication is about identity; Establishing the user is in fact the person who he claims to be. Decentralising that, means this service is unaware of the existence of any resources or applications that need to be protected. That’s the key difference between OAuth and OpenID.






                                                                                  share|improve this answer













                                                                                  Both protocols were created for different reasons. OAuth was created to authorize third parties to access resources. OpenID was created to perform decentralize identity validation. This website states the following:



                                                                                  OAuth is a protocol designed to verify the identity of an end-user and to grant permissions to a third party. This verification results in a token. The third party can use this token to access resources on the user’s behalf. Tokens have a scope. The scope is used to verify whether a resource is accessible to a user, or not



                                                                                  OpenID is a protocol used for decentralised authentication. Authentication is about identity; Establishing the user is in fact the person who he claims to be. Decentralising that, means this service is unaware of the existence of any resources or applications that need to be protected. That’s the key difference between OAuth and OpenID.







                                                                                  share|improve this answer












                                                                                  share|improve this answer



                                                                                  share|improve this answer










                                                                                  answered Nov 5 '18 at 19:48









                                                                                  Albert StarreveldAlbert Starreveld

                                                                                  1




                                                                                  1
























                                                                                      0














                                                                                      OAuth 2.0 is a Security protocol. It is NEITHER an Authentication NOR an Authorization protocol.



                                                                                      Authentication by definition the answers two questions.



                                                                                      1. Who is the user?

                                                                                      2. Is the user currently present on the system?

                                                                                      OAuth 2.0 has the following grant types



                                                                                      • client_credentials: When one app needs to interact with another app and modify the data of multiple users.

                                                                                      • authorization_code: User delegates the Authorization server to issue an access_token that the client can use to access protected resource

                                                                                      • refresh_token: When the access_token expires, the refresh token can be leveraged to get a fresh access_token

                                                                                      • password: User provides their login credentials to a client that calls the Authorization server and receives an access_token

                                                                                      All 4 have one thing in common, access_token, an artifact that can be used to access protected resource.



                                                                                      The access_token does not provide the answer to the 2 questions that an "Authentication" protocol must answer.



                                                                                      An example to explain Oauth 2.0 (credits: OAuth 2 in Action, Manning publications)



                                                                                      Let's talk about chocolate. We can make many confections out of chocolate including, fudge, ice cream, and cake. But, none of these can be equated to chocolate because multiple other ingredients such as cream and bread are needed to make the confection, even though chocolate sounds like the main ingredient. Similarly, OAuth 2.0 is the chocolate, and cookies, TLS infrastucture, Identity Providers are other ingredients that are required to provide the "Authentication" functionality.



                                                                                      If you want Authentication, you may go for OpenID Connect, which provides an "id_token", apart from an access_token, that answers the questions that every authentication protocol must answer.






                                                                                      share|improve this answer





























                                                                                        0














                                                                                        OAuth 2.0 is a Security protocol. It is NEITHER an Authentication NOR an Authorization protocol.



                                                                                        Authentication by definition the answers two questions.



                                                                                        1. Who is the user?

                                                                                        2. Is the user currently present on the system?

                                                                                        OAuth 2.0 has the following grant types



                                                                                        • client_credentials: When one app needs to interact with another app and modify the data of multiple users.

                                                                                        • authorization_code: User delegates the Authorization server to issue an access_token that the client can use to access protected resource

                                                                                        • refresh_token: When the access_token expires, the refresh token can be leveraged to get a fresh access_token

                                                                                        • password: User provides their login credentials to a client that calls the Authorization server and receives an access_token

                                                                                        All 4 have one thing in common, access_token, an artifact that can be used to access protected resource.



                                                                                        The access_token does not provide the answer to the 2 questions that an "Authentication" protocol must answer.



                                                                                        An example to explain Oauth 2.0 (credits: OAuth 2 in Action, Manning publications)



                                                                                        Let's talk about chocolate. We can make many confections out of chocolate including, fudge, ice cream, and cake. But, none of these can be equated to chocolate because multiple other ingredients such as cream and bread are needed to make the confection, even though chocolate sounds like the main ingredient. Similarly, OAuth 2.0 is the chocolate, and cookies, TLS infrastucture, Identity Providers are other ingredients that are required to provide the "Authentication" functionality.



                                                                                        If you want Authentication, you may go for OpenID Connect, which provides an "id_token", apart from an access_token, that answers the questions that every authentication protocol must answer.






                                                                                        share|improve this answer



























                                                                                          0












                                                                                          0








                                                                                          0







                                                                                          OAuth 2.0 is a Security protocol. It is NEITHER an Authentication NOR an Authorization protocol.



                                                                                          Authentication by definition the answers two questions.



                                                                                          1. Who is the user?

                                                                                          2. Is the user currently present on the system?

                                                                                          OAuth 2.0 has the following grant types



                                                                                          • client_credentials: When one app needs to interact with another app and modify the data of multiple users.

                                                                                          • authorization_code: User delegates the Authorization server to issue an access_token that the client can use to access protected resource

                                                                                          • refresh_token: When the access_token expires, the refresh token can be leveraged to get a fresh access_token

                                                                                          • password: User provides their login credentials to a client that calls the Authorization server and receives an access_token

                                                                                          All 4 have one thing in common, access_token, an artifact that can be used to access protected resource.



                                                                                          The access_token does not provide the answer to the 2 questions that an "Authentication" protocol must answer.



                                                                                          An example to explain Oauth 2.0 (credits: OAuth 2 in Action, Manning publications)



                                                                                          Let's talk about chocolate. We can make many confections out of chocolate including, fudge, ice cream, and cake. But, none of these can be equated to chocolate because multiple other ingredients such as cream and bread are needed to make the confection, even though chocolate sounds like the main ingredient. Similarly, OAuth 2.0 is the chocolate, and cookies, TLS infrastucture, Identity Providers are other ingredients that are required to provide the "Authentication" functionality.



                                                                                          If you want Authentication, you may go for OpenID Connect, which provides an "id_token", apart from an access_token, that answers the questions that every authentication protocol must answer.






                                                                                          share|improve this answer













                                                                                          OAuth 2.0 is a Security protocol. It is NEITHER an Authentication NOR an Authorization protocol.



                                                                                          Authentication by definition the answers two questions.



                                                                                          1. Who is the user?

                                                                                          2. Is the user currently present on the system?

                                                                                          OAuth 2.0 has the following grant types



                                                                                          • client_credentials: When one app needs to interact with another app and modify the data of multiple users.

                                                                                          • authorization_code: User delegates the Authorization server to issue an access_token that the client can use to access protected resource

                                                                                          • refresh_token: When the access_token expires, the refresh token can be leveraged to get a fresh access_token

                                                                                          • password: User provides their login credentials to a client that calls the Authorization server and receives an access_token

                                                                                          All 4 have one thing in common, access_token, an artifact that can be used to access protected resource.



                                                                                          The access_token does not provide the answer to the 2 questions that an "Authentication" protocol must answer.



                                                                                          An example to explain Oauth 2.0 (credits: OAuth 2 in Action, Manning publications)



                                                                                          Let's talk about chocolate. We can make many confections out of chocolate including, fudge, ice cream, and cake. But, none of these can be equated to chocolate because multiple other ingredients such as cream and bread are needed to make the confection, even though chocolate sounds like the main ingredient. Similarly, OAuth 2.0 is the chocolate, and cookies, TLS infrastucture, Identity Providers are other ingredients that are required to provide the "Authentication" functionality.



                                                                                          If you want Authentication, you may go for OpenID Connect, which provides an "id_token", apart from an access_token, that answers the questions that every authentication protocol must answer.







                                                                                          share|improve this answer












                                                                                          share|improve this answer



                                                                                          share|improve this answer










                                                                                          answered Jan 22 at 8:44









                                                                                          RajatRajat

                                                                                          2142 silver badges12 bronze badges




                                                                                          2142 silver badges12 bronze badges
























                                                                                              -5














                                                                                              OAuth builds authentication on top of authorization: The user delegates access to their identity to the application, which, then, becomes a consumer of the identity API, thereby finding out who authorized the client in the first place http://oauth.net/articles/authentication/






                                                                                              share|improve this answer





























                                                                                                -5














                                                                                                OAuth builds authentication on top of authorization: The user delegates access to their identity to the application, which, then, becomes a consumer of the identity API, thereby finding out who authorized the client in the first place http://oauth.net/articles/authentication/






                                                                                                share|improve this answer



























                                                                                                  -5












                                                                                                  -5








                                                                                                  -5







                                                                                                  OAuth builds authentication on top of authorization: The user delegates access to their identity to the application, which, then, becomes a consumer of the identity API, thereby finding out who authorized the client in the first place http://oauth.net/articles/authentication/






                                                                                                  share|improve this answer













                                                                                                  OAuth builds authentication on top of authorization: The user delegates access to their identity to the application, which, then, becomes a consumer of the identity API, thereby finding out who authorized the client in the first place http://oauth.net/articles/authentication/







                                                                                                  share|improve this answer












                                                                                                  share|improve this answer



                                                                                                  share|improve this answer










                                                                                                  answered Oct 23 '15 at 17:58









                                                                                                  Alfredo SilvaAlfredo Silva

                                                                                                  1




                                                                                                  1






























                                                                                                      draft saved

                                                                                                      draft discarded
















































                                                                                                      Thanks for contributing an answer to Stack Overflow!


                                                                                                      • Please be sure to answer the question. Provide details and share your research!

                                                                                                      But avoid


                                                                                                      • Asking for help, clarification, or responding to other answers.

                                                                                                      • Making statements based on opinion; back them up with references or personal experience.

                                                                                                      To learn more, see our tips on writing great answers.




                                                                                                      draft saved


                                                                                                      draft discarded














                                                                                                      StackExchange.ready(
                                                                                                      function ()
                                                                                                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f1087031%2fwhats-the-difference-between-openid-and-oauth%23new-answer', 'question_page');

                                                                                                      );

                                                                                                      Post as a guest















                                                                                                      Required, but never shown





















































                                                                                                      Required, but never shown














                                                                                                      Required, but never shown












                                                                                                      Required, but never shown







                                                                                                      Required, but never shown

































                                                                                                      Required, but never shown














                                                                                                      Required, but never shown












                                                                                                      Required, but never shown







                                                                                                      Required, but never shown







                                                                                                      Popular posts from this blog

                                                                                                      Kamusi Yaliyomo Aina za kamusi | Muundo wa kamusi | Faida za kamusi | Dhima ya picha katika kamusi | Marejeo | Tazama pia | Viungo vya nje | UrambazajiKuhusu kamusiGo-SwahiliWiki-KamusiKamusi ya Kiswahili na Kiingerezakuihariri na kuongeza habari

                                                                                                      SQL error code 1064 with creating Laravel foreign keysForeign key constraints: When to use ON UPDATE and ON DELETEDropping column with foreign key Laravel error: General error: 1025 Error on renameLaravel SQL Can't create tableLaravel Migration foreign key errorLaravel php artisan migrate:refresh giving a syntax errorSQLSTATE[42S01]: Base table or view already exists or Base table or view already exists: 1050 Tableerror in migrating laravel file to xampp serverSyntax error or access violation: 1064:syntax to use near 'unsigned not null, modelName varchar(191) not null, title varchar(191) not nLaravel cannot create new table field in mysqlLaravel 5.7:Last migration creates table but is not registered in the migration table

                                                                                                      은진 송씨 목차 역사 본관 분파 인물 조선 왕실과의 인척 관계 집성촌 항렬자 인구 같이 보기 각주 둘러보기 메뉴은진 송씨세종실록 149권, 지리지 충청도 공주목 은진현