OpenID versus OAuth from the user’s perspective

Published on and tagged with oauth  openid

In this article I want to show the differences between OpenID and its younger cousin OAuth by providing for each a typical user scenario.

First the scenario for OpenID:

  • User wants to access his account on
  • (the “Relying Party” in OpenID lingo) asks the user for his OpenID
  • User enters his OpenID
  • redirects the user to his OpenID provider
  • User authenticates himself to the OpenID provider
  • OpenID provider redirects the user back to
  • allows the user to access his account

And now the scenario for OAuth:

  • User is on and wants to import his contacts from
  • (the “Consumer” in OAuth lingo) redirects the user to (the “Service Provider”)
  • User authenticates himself to (which can happen by using OpenID)
  • asks the user whether he wants to authorize to access his contacts
  • User makes his choice
  • redirects the user back to
  • retrieves the contacts from
  • informs the user that the import was successful

From those scenarios we can see that OpenID is about authentication (i.e. I can identify myself with an url) whereas OAuth is about authorization (i.e. I can grant permission to access my data on some website to another website, without providing this website the authentication information for the original website).

I hope this helps to keep apart those two standards :)

37 comments baked

© daniel hofstetter. Licensed under a Creative Commons License