OpenID versus OAuth from the user’s perspective

Published on and tagged with oauth  openid

In this article I want to show the differences between OpenID and its younger cousin OAuth by providing for each a typical user scenario.

First the scenario for OpenID:

  • User wants to access his account on example.com
  • example.com (the “Relying Party” in OpenID lingo) asks the user for his OpenID
  • User enters his OpenID
  • example.com redirects the user to his OpenID provider
  • User authenticates himself to the OpenID provider
  • OpenID provider redirects the user back to example.com
  • example.com allows the user to access his account

And now the scenario for OAuth:

  • User is on example.com and wants to import his contacts from mycontacts.com
  • example.com (the “Consumer” in OAuth lingo) redirects the user to mycontacts.com (the “Service Provider”)
  • User authenticates himself to mycontacts.com (which can happen by using OpenID)
  • mycontacts.com asks the user whether he wants to authorize example.com to access his contacts
  • User makes his choice
  • mycontacts.com redirects the user back to example.com
  • example.com retrieves the contacts from mycontacts.com
  • example.com informs the user that the import was successful

From those scenarios we can see that OpenID is about authentication (i.e. I can identify myself with an url) whereas OAuth is about authorization (i.e. I can grant permission to access my data on some website to another website, without providing this website the authentication information for the original website).

I hope this helps to keep apart those two standards :)

33 comments baked

Bake a comment




(for code please use <code>...</code> [no escaping necessary])

© daniel hofstetter. Licensed under a Creative Commons License