我真的在试图理解OpenID和OAuth之间的区别?也许它们是完全不同的两件事?


当前回答

我相信重新审视这个问题是有意义的,正如评论中所指出的,OpenID Connect的引入可能带来更多的困惑。

OpenID Connect是一种类似于OpenID 1.0/2.0的身份验证协议,但它实际上构建在OAuth 2.0之上,因此您将获得授权功能和身份验证功能。这两者之间的区别在这篇(相对较新的,但很重要的)文章中有很好的详细解释:http://oauth.net/articles/authentication/

其他回答

OAuth

仅用于委托授权——这意味着您授权第三方服务访问使用个人数据,而无需提供密码。此外,OAuth“会话”通常比用户会话存活更久。这意味着OAuth被设计为允许授权

例如,Flickr使用OAuth允许第三方服务发布和编辑个人照片,而不需要他们提供自己的flicker用户名和密码。

OpenID

用于验证单点登录身份。所有OpenID应该做的就是允许OpenID提供者证明你说你是。然而,许多站点使用身份验证来提供授权(然而,这两者可以分开)

也就是说,一个人在机场出示护照,以证明他们所使用的机票上的人就是他们自己。

OpenID是关于身份验证的。证明你是谁),OAuth是关于授权(即。授予对功能/数据等的访问权。而不必处理原始的身份验证)。

OAuth可以在外部合作伙伴站点中使用,允许访问受保护的数据,而无需重新对用户进行身份验证。

博客文章“从用户的角度看OpenID与OAuth”从用户的角度对两者进行了简单的比较,而“OAuth-OpenID:如果你认为它们是同一件事,你就找错了对象”有更多的信息。

OpenId -仅用于身份验证。

OAuth—用于身份验证和授权。授权依赖于access_token,它是JWT令牌的一部分。它可以包含用户权限的详细信息或任何有用的信息。

两者都可以依赖第三方认证提供商来维护他们的帐户。例如,OKTA身份提供者,User在OKTA登录页面上提供凭据,在成功登录时,用户被重定向到消费者应用程序,头部有JWT令牌。

OpenID、OAuth、OpenID Connect的区别解释:

OpenID is a protocol for authentication while OAuth is for authorization. Authentication is about making sure that the guy you are talking to is indeed who he claims to be. Authorization is about deciding what that guy should be allowed to do. In OpenID, authentication is delegated: server A wants to authenticate user U, but U's credentials (e.g. U's name and password) are sent to another server, B, that A trusts (at least, trusts for authenticating users). Indeed, server B makes sure that U is indeed U, and then tells to A: "ok, that's the genuine U". In OAuth, authorization is delegated: entity A obtains from entity B an "access right" which A can show to server S to be granted access; B can thus deliver temporary, specific access keys to A without giving them too much power. You can imagine an OAuth server as the key master in a big hotel; he gives to employees keys which open the doors of the rooms that they are supposed to enter, but each key is limited (it does not give access to all rooms); furthermore, the keys self-destruct after a few hours. To some extent, authorization can be abused into some pseudo-authentication, on the basis that if entity A obtains from B an access key through OAuth, and shows it to server S, then server S may infer that B authenticated A before granting the access key. So some people use OAuth where they should be using OpenID. This schema may or may not be enlightening; but I think this pseudo-authentication is more confusing than anything. OpenID Connect does just that: it abuses OAuth into an authentication protocol. In the hotel analogy: if I encounter a purported employee and that person shows me that he has a key which opens my room, then I suppose that this is a true employee, on the basis that the key master would not have given him a key which opens my room if he was not.

(源)

OpenID Connect与OpenID 2.0有何不同? OpenID Connect执行许多与OpenID 2.0相同的任务,但确实如此 以一种api友好的方式,在本地和移动设备上都可用 应用程序。OpenID Connect为健壮性定义了可选机制 签名和加密。而OAuth 1.0a和OpenID的集成 2.0需要一个扩展,在OpenID连接中,OAuth 2.0功能与协议本身集成。

(源)

OpenID connect will give you an access token plus an id token. The id token is a JWT and contains information about the authenticated user. It is signed by the identity provider and can be read and verified without accessing the identity provider. In addition, OpenID connect standardizes quite a couple things that oauth2 leaves up to choice. for instance scopes, endpoint discovery, and dynamic registration of clients. This makes it easier to write code that lets the user choose between multiple identity providers.

(源)

谷歌是2.0版的

谷歌的OAuth 2.0 api可用于身份验证和 授权。本文档描述了我们的OAuth 2.0实现 用于身份验证,符合OpenID Connect 规范,并且是OpenID认证。在 “OAuth 2.0访问谷歌接口”也适用于本业务。如果 如果您想以交互方式探索此协议,我们推荐 谷歌OAuth 2.0游乐场。

(源)

OpenID和OAuth都是用于身份验证和/或授权的基于http的协议。两者都旨在允许用户执行操作,而无需向客户端或第三方提供身份验证凭据或全面权限。虽然它们是相似的,并且有建议将它们一起使用的标准,但它们是单独的协议。

OpenID用于联合身份验证。客户机接受来自任何提供者的身份断言(尽管客户机可以自由地将提供者列入白名单或黑名单)。

OAuth用于委托授权。客户端向提供者注册,提供者提供授权令牌,客户端接受这些授权令牌以代表用户执行操作。

OAuth目前更适合于授权,因为身份验证后的进一步交互被内置到协议中,但这两个协议都在不断发展。OpenID及其扩展可用于授权,OAuth可用于身份验证,可以将其视为无操作授权。