Comments on: OpenID versus OAuth from the user’s perspective

By: cakebaker

cakebaker — Wed, 04 May 2011 14:03:29 +0000

@Peter: You are welcome!

By: Peter Monras

Peter Monras — Mon, 02 May 2011 23:18:33 +0000

Thanks for this article, now I finally understand :)

By: Ingo-Stefan Schilling

Ingo-Stefan Schilling — Mon, 20 Sep 2010 17:18:01 +0000

@zibin: For now, you might want to have a look into Googles step2 project: http://code.google.com/p/step2/ and http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html which tries to marry both into one – and the server at least works and some libraries seem to exist as well.

By: cakebaker

cakebaker — Sat, 11 Sep 2010 14:34:39 +0000

@Bell: Yes, it looks promising, though currently it is “only” a proposal.

By: Bell

Bell — Mon, 06 Sep 2010 18:53:59 +0000

Thank you very much for the OpenID Connect link cakebaker. That looks like a fantastic step in the right direction.

By: cakebaker

cakebaker — Sat, 17 Jul 2010 15:29:16 +0000

@zibin: Well, I think it makes sense to have different specs for different things. However, it seems like the relationship of those two specs will change in the future. According to the OpenID Connect ("OpenID 3.0") proposal, OpenID Connect will be built on OAuth 2.0. So OpenID gets kind of "merged" with OAuth, but OAuth will still exist on its own. Hope that makes sense ;-)

By: zibin

zibin — Thu, 15 Jul 2010 05:06:28 +0000

Despite the distinction, is it not better to merge the two into one?

By: cakebaker

cakebaker — Wed, 13 Jan 2010 15:57:09 +0000

@Erik: Thanks for the link to that video, and good luck on your journey with OpenID and OAuth :)

By: Erik

Erik — Mon, 11 Jan 2010 19:52:37 +0000

@cakebaker: yes it definitely does help and I thank you for your response.

My struggle to put all of this together into a cohesive whole continues and may well forever but I’m very excited about the prospects this sort of effort will offer. I found a YouTube video http://www.youtube.com/watch?v=6SYnlH5FXz0 which is exceptional in filling in the missing pieces, at least conceptually.

I feel strong enough about the righteousness of the OpenID and OAuth concepts that I’ll be committing to using them exclusively in all of my future projects even if it’s a bumpy, partially paved road. I suppose if it wasn’t, it wouldn’t be interesting.

Keep up the great work!

By: cakebaker

cakebaker — Mon, 11 Jan 2010 16:22:49 +0000

@Erik: Thanks for your comment!

Yes, the described scenario is correct. And I agree with you, the user experience is not that great in such a use case…

OAuth Wrap could, theoretically, simplify this process if the two services (Picasa, Flickr) trust each other’s Authorization Servers (or use the same Authorization Server). In that case the scenario would look like:
1. – 3. Same as above
4. Settings page redirects the user to the Authorization Server and the user authorizes access
5. Same as above.
6. No such step ;-)

But as always with new protocols: it will take quite some time until it gets implemented…

I hope this answers your question.