Difference Between OAUTH, OpenID and OPENID Connect in very simple term?

OpenID is a protocol for authentication while OAuth is for authorization. Authentication is about making sure that the guy you are talking to is indeed who he claims to be. Authorization is about deciding what that guy should be allowed to do.

In OpenID, authentication is delegated: server A wants to authenticate user U, but U's credentials (e.g. U's name and password) are sent to another server, B, that A trusts (at least, trusts for authenticating users). Indeed, server B makes sure that U is indeed U, and then tells to A: "ok, that's the genuine U".

In OAuth, authorization is delegated: entity A obtains from entity B an "access right" which A can show to server S to be granted access; B can thus deliver temporary, specific access keys to A without giving them too much power. You can imagine an OAuth server as the key master in a big hotel; he gives to employees keys which open the doors of the rooms that they are supposed to enter, but each key is limited (it does not give access to all rooms); furthermore, the keys self-destruct after a few hours.

To some extent, authorization can be abused into some pseudo-authentication, on the basis that if entity A obtains from B an access key through OAuth, and shows it to server S, then server S may infer that B authenticated A before granting the access key. So some people use OAuth where they should be using OpenID. This schema may or may not be enlightening; but I think this pseudo-authentication is more confusing than anything. OpenID Connect does just that: it abuses OAuth into an authentication protocol. In the hotel analogy: if I encounter a purported employee and that person shows me that he has a key which opens my room, then I suppose that this is a true employee, on the basis that the key master would not have given him a key which opens my room if he was not.


Simple Terms

  1. OpenID is about verifying a person's identity (authentication).
  2. OAuth is about accessing a person's stuff (authorization).
  3. OpenID Connect does both.

All three let a person give their username/password (or other credential) to a trusted authority instead of to a less trusted app.

More Details

To understand something, look at its history.

OpenID & OAuth have developed on parallel tracks and in 2014 merged into OpenID Connect. Throughout their history, OpenID and OAuth have let an app use a trusted authority to handle private user credentials. Whereas OpenID let the authority verify a user's identity, OAuth let the authority grant limited access to a user's stuff.

OpenID 1.0 (2006) lets an app ask an authority for proof that an end user owns an identify (a URL).

  • End user to app: I am Steve A. Smith.
  • App to authority: Is this Steve A. Smith?
  • The end user and authority speak for a moment.
  • Authority to app: Yes, that is Steve A. Smith.

OpenID 2.0 (2007) does the same, but adds a second identity format (XRI) and adds flexibility to how the end user specifies the identity and authority.

OpenID Attribute Exchange 1.0 (2007) extends OpenID 2.0 by letting an app fetch & store end user profile information with the authority - in addition to verifying the end user's identity.

  • End user to app: I am Steve A. Smith.
  • App to authority: Is this Steve A. Smith? Oh, and if it is, also fetch me his email address and phone number.
  • The end user and authority speak for a moment.
  • Authority to app: Yes, that is Steve A. Smith. His email is [email protected] and phone number is 123-456-7890.

OAuth 1.0 (2010) lets an end user grant an app limited access to resources on a third-party server that an authority owns.

  • App to end user: We'd like to access your pictures on some other server.
  • The end user and authority speak for a moment.
  • Authority to app: Here is an access token.
  • App to third-party server: Here is the access token that proves I am allowed to access pictures for an end user.

OAuth 2.0 (2012) does the same thing as OAuth 1.0 but with a completely new protocol.

OpenID Connect (2014) combines the features of OpenID 2.0, OpenID Attribute Exchange 1.0, and OAuth 2.0 in a single protocol. It allows an application to use an authority...

  1. to verify the end user's identity,
  2. to fetch the end user's profile info, and
  3. to gain limited access to the end user's stuff.

Many people still visit this so here's a very simple diagram to explain it

OpenID_vs._pseudo-authentication_using_OAuth

Courtesy Wikipedia

Tags:

Authentication

Authorization

Openid

Oauth

Openid Connect

Recent Posts