Print Friendly Print Get a PDF version of this webpage PDF

You probably have heard about OpenID and OAuth (if you haven’t been living in a non-connected place for past few years) and you’re probably wondering when and why should you choose one over the other or why can there not be only one, why they both exist.

In this blog post I will try to explain what OpenID and OAuth are and what differentiates the two from each other.

What is OpenID

OpenID is an open technology standard that allows the users to sign-in to all (OpenID enabled) websites across the Internet.

Once you sign up for an account with an OpenID provider, you will be able to simply provide any OpenID enabled website with the URL of that provider which will send you to your provider to verify your account. After verification with your provider, you will be sent back to the website you were originally visiting and be signed in to that website, automatically

I will further narrate this with the help of a little vignette:

  • You want to log in to www.example.com
  • www.example.com (“Relying Party”) gives you the option to login with your OpenID
  • You provide your OpenID or the URL the OpenID Provider
  • The “Relying Party” redirects your “browser-agent” to the OpenID provider
  • You authenticate your account with your OpenID provider which then redirects you back to www.example.com
  • You are signed in to www.example.com and can continue using your account

Here is a list of OpenID providers on Wikipedia

What is OAuth

OAuth (Open Authorization) is an open standard for authorization. This means that it is a means for users to give access rights to their resources (photos, contacts, groups etc.) on one website to another website without providing their login information to the requester. For example when you “Allow” an application or website to post tweets on twitter on your behalf. Another case would be when you need to import your contacts from your email provider (e.g. Gmail) into a social networking website (e.g. Facebook), if they are OAuth enabled, you will only need to set access rights on your address book to allow access to Facebook. Otherwise you’d have to provide your Gmail user name and password to Facebook (something that I never ever do, the reason for which requires another blog post and some more investigation) for it to access your Gmail address book.

So here is how OAuth actually works:

  • User has created a cool new group on www.example.com
  • User wants to tweet about this group so his friends become aware of it and join it
  • www.example.com (“Consumer”) redirects the user to twitter.com (“Service Provider”)
  • User authenticates himself to twitter.com
  • twitter.com asks the user if he wants to allow www.example.com access to his account
  • Based on the user’s decission, twitter.com redirects the user back to example.com
  • example.com tweets user’s latest activity on twitter

To summarize all this we can say that both OAuth and OpenID exist to serve distinct purposes even though they might have similarities in the way they work. OpenID is a means for users to authenticate themselves (i.e. prove that they are who they claim they are) whereas OAuth provides the users with a means to authorize one website (or application) to access their data stored on another website without sharing the authentication information for the provider website (which could very well be using OpenID to authenticate the user in the first place).

Share