How OpenID differs from OAuth? by Mrinal Srivastava

How OpenID differs from OAuth?

I observed that we people easily get confused between OpenID and OAuth. Many of us think that these are similar protocols used for Single Sign On or as open standard for authentication. But it is not. Here we will try to differentiate between the two at high level to easily understand their working differences.


Definition/Origin:

Now-a-days, on an average, every user has minimum 12-15 online accounts and for those he/she needs to remember those many credentials. Before that one needs to go through the sign-up process for all those accounts, and sign-up process more or less has the same options or required values in their sign-up form like first name, last name, school, college, age etc.  OpenID made a revolutionary change in it. OpenID allows you to sign-up once and create yourfederated identity which is represented by your OpenID URI, with OpenID provider and use the same credentials across the sites (which support OpenID). It drastically removes the need of sign-up at every online application and remembers their credential. Your one OpenID credential works for all your applications. This makes OpenID a popular mechanism for Single Sign On also, as it gives you one credential for multiple sites.

On the other hand, OAuth was originated when Twitter team was working on to implement OpenID support. In that they had one requirement in which they needed to provide access to dashboard widgets also, without re-authenticating the user. Then they realized that there is no open standard available for API access delegation. Then they have initiated an open community and introduced OAuth.

Conclusively, we can say that both the protocols work on federation but, OpenID is open standard for authentication, whereas OAuth is open standard for authorization.

Entities involved:

In OpenID, two main entities are involved OpenID Provider: which gives you your federated identity e.g. MyOpenIDand OpenID Consumer: on which you will use your federated identity to sign-in e.g. WikiSpaces. OpenID provides you third party authentication.

Whereas in OAuth, three main parties are involved, Client Application: which needs access to some resources on behalf of user, Authorization Server: which will authorize the client application by taking user consent to access resources from other application/server on users’ behalf and Resource Server/Service Provider: that will provide the resource/s to client. Google OAuth playground gives a very clear picture about its working and is easy to understand.

In action scenarios:

OpenID:

1. User is trying to access Wikispaces.com. User clicks on “Sign In with OpenID”.
2. User needs to provide his OpenID on Wikispaces.
3. Wikispaces will discover the OpenID Provider on the basis of OpenID URI and redirect the user to OpenID Provider.
4. User will authenticate himself at OpenID provider.
5. On successful authentication, OpenID Provider will redirect to Wikispaces with authenticated assertion.
6. Wikispaces on receiving the assertion will create the user session.

 OAuth:

1. User is logged in to Facebook (Client). He wants to share his images from Flickr on Facebook.
2. User clicks on “Share images from Flickr”, one of the app on Facebook, it will redirect the user to Flickr.com’s Authorization Server.
3. Authorization Server will verify the client and will pop up an Authentication Page of Flickr.com.
4. User will provide Flickr.com credentials and on successful authentication, user will be asked to make a choice with a similar massage like “Facebook is trying to access your images on your behalf” whether you want to “allow” or “deny”.
5. If user clicks on allow then Authorization Server will send a authorized assertion to Facebook and using that Facebook will call Flickr’s Share Image API (Resource Server) to get the images.
6. And those images will be shared on Facebook.

With above examples we can clearly see that OpenID is sending an authentication assertion (My authenticated identity is provided by my OpenID Provider) whereas OAuth is sending an authorization assertion (I am granting(authorizing) one of my applications to access data of another application without exposing or sharing my credentials of one application to another).

Some more differences:

• In OpenID Association/Federation is established at run time using its OpenID Provider discovery mechanism whereas in OAuth federation is established first as client registration process and then we can use OAuth between federated entities.
• In OpenID, a complete user session is created whereas in OAuth we get the access of APIs. It depends on the Service Provider or Resource Provider, what access it wants to give through OAuth. They may give you full access also which can be used to create the complete user session.
• OpenID in its assertion share the authenticated user identity whereas in OAuth, it does not have user identity, it shares an access token in its assertion. So, if you want to get the user identity you need to call some other API using that access token.
• OAuth allow you to call or use n number of authorized APIs with same access token (authorized assertion) by making n calls on APIs whereas OpenID just helps you to create user session on OpenID Consumer.
• OpenID messages are exchanged using XRDS (eXtensible Resource Descriptor Sequence) and in OAuth, it is usually JSON.
• Now OpenID extensions also allow you to access user information from OpenID Provider by calling its APIs. And similarly OAuth extensions also support authentication. But, OpenID is meant for federated authentication and OAuth is meant for delegated authorization.
   

 Many applications now using combination of OpenID and OAuth, for supporting authentication and authorization, that gives you feel of Single Sign On as well as other APIs access (delegated authorization).

Posted 28th June by Mrinal Srivastava