Comments on: OpenID versus OAuth from the user’s perspective

By: cakebaker

cakebaker — Wed, 13 Jan 2010 15:57:09 +0000

@Erik: Thanks for the link to that video, and good luck on your journey with OpenID and OAuth :)

By: Erik

Erik — Mon, 11 Jan 2010 19:52:37 +0000

@cakebaker: yes it definitely does help and I thank you for your response.

My struggle to put all of this together into a cohesive whole continues and may well forever but I’m very excited about the prospects this sort of effort will offer. I found a YouTube video http://www.youtube.com/watch?v=6SYnlH5FXz0 which is exceptional in filling in the missing pieces, at least conceptually.

I feel strong enough about the righteousness of the OpenID and OAuth concepts that I’ll be committing to using them exclusively in all of my future projects even if it’s a bumpy, partially paved road. I suppose if it wasn’t, it wouldn’t be interesting.

Keep up the great work!

By: cakebaker

cakebaker — Mon, 11 Jan 2010 16:22:49 +0000

@Erik: Thanks for your comment!

Yes, the described scenario is correct. And I agree with you, the user experience is not that great in such a use case…

OAuth Wrap could, theoretically, simplify this process if the two services (Picasa, Flickr) trust each other’s Authorization Servers (or use the same Authorization Server). In that case the scenario would look like:
1. – 3. Same as above
4. Settings page redirects the user to the Authorization Server and the user authorizes access
5. Same as above.
6. No such step ;-)

But as always with new protocols: it will take quite some time until it gets implemented…

I hope this answers your question.

By: Erik

Erik — Sun, 10 Jan 2010 20:21:59 +0000

I see the different and I also see redundancy which does NOT make for a smooth and simple user experience. Why is the user authenticating twice? How does it work in this scenario:

1. User goes to example.com which uses OpenID/OAuth exclusively (does not offer local logins itself)
2. User logs in with OpenID and a profile is created on example.com connecting the user’s OpenID to this new profile.
3. User wants to change settings to allow accessing and using their Picasa or Flickr (or both) photos on example.com
4. Setting page redirects to Picasa/Google and logs in with their OpenID and authorizes access.
5. User is redirected back to example.com
6. User is redirected to Flickr to login yet again (3rd time?) and authorize access and then back to example.com

This looks like a freaking mess to me. Can someone explain how this scenario is handled with OpenID/OAuth/OAuth WRAP/other if not as described? FB Connect offers a single API to do both and it works and has become a defacto standard for interoperability.

I’m really struggling with connecting these into a cohesive whole.

By: Different between OAUth and OpenID « Kathir's Blog

Different between OAUth and OpenID « Kathir's Blog — Tue, 15 Dec 2009 15:08:05 +0000

[...] interesting links: Link1 [...]

By: cakebaker

cakebaker — Fri, 24 Jul 2009 09:29:32 +0000

@Malih: You are welcome!

By: Malih

Malih — Thu, 23 Jul 2009 11:22:13 +0000

Wow this is great, i just read something about OAuth, and they mention something about OpenID, and now I understand the difference. Thank you.

By: cakebaker

cakebaker — Sat, 21 Mar 2009 15:39:53 +0000

@Ryan: You are welcome!

By: Ryan Cross

Ryan Cross — Wed, 18 Mar 2009 19:48:51 +0000

Yeah, I agree. This is really good primer for understanding the difference. Thanks!

By: cakebaker

cakebaker — Wed, 02 Apr 2008 15:46:52 +0000

@Tarique: Thanks for your comment, I hope you will blog about it when it is finished ;-)