Open ID Connect and OAuth 2

5

Last year searching a bit about authentication in API's REST I heard about OAuth and saw many recommendations regarding it. I read a bit about it, I liked it and I started to use it with ASP.NET Web API 2 .

Now I've only recently heard about Open ID Connect that I understand extends OAuth 2 , that is, it's an OAuth 2 superset. But I've always heard that Open ID was something totally different.

In this way, what are the actual differences between Open ID Connect and OAuth ? How do Open ID Connect extend OAuth and what are the advantages / disadvantages of each of them?

    
asked by anonymous 06.06.2015 / 22:12

2 answers

3

The purpose of OpenID Connect is to add authentication functionality to the authorization functions of OAuth ( Font ). That is, in fact the purpose of OpenID and OAuth are different, and the problem is that a lot of people were using OAuth for authentication (ie proving what the user is who they say it is) when in fact it was designed to provide authorization (ie determine what an agent can or can not do on behalf of a user). Some people say that OAuth alone only supports "pseudo-authentication" (whatever that means).

This question in security.SE has some additional information (for example, citing the OpenID Connect uses JWT , which standardizes several aspects making the code simpler, as well as the way the user chooses its provider, etc.), but at the that I understood the main difference is this same. I have no practical experience with any of the two protocols, however, so I would not be able to comment on all the implications of using one protocol or another (for example, it is assumed that ad-hoc OAuth is less than "real" authentication, but I could not tell if this is true or how bad it is).

    
08.06.2015 / 05:20
2

OpenID does not extend OAuth it uses OAuth as its base becoming layer over Oauth . Oauth is pure delegation without any sense of identity.

That said, I simplify the application of both as follows:

  • Oauth - Application access authorization
  • OpenID - Open ID with digital signature.
  • While OAuth defines secure ways to authorize applications and access certain contexts and content, in particular it defines how to do it, over HTTP, and so on. The OpenID defines a JSON structure that allows you to identify users, devices, etc.

    Together they produce a token that contains standardized useful information that can let you know:

  • Who Authenticated
  • Where you authenticated
  • When you authenticated
  • How you authenticated
  • What attributes you have
  • Why do you make them available
  • ... this by any application, know exactly if the rules of both protocols are fulfilled.

    In order to guarantee authenticity, the OpenID protocol still defines concepts as a Identity Provider that generate digitally signed tokens so that its credibility is assured, but on the basis of trust.

        
    22.06.2015 / 20:23