我真的在试图理解OpenID和OAuth之间的区别?也许它们是完全不同的两件事?
当前回答
有三种方法可以比较OAuth和OpenID:
1. 目的
OpenID是为联邦身份验证而创建的,也就是说,允许第三方使用用户已经拥有的帐户为您验证用户身份。联合这个术语在这里非常重要,因为OpenID的全部意义在于可以使用任何提供者(白名单除外)。你不需要预先选择或与提供商协商协议,以允许用户使用他们拥有的任何其他帐户。
OAuth的创建是为了消除用户与第三方应用程序共享密码的需要。它实际上是作为解决OpenID问题的一种方式开始的:如果您在站点上支持OpenID,则不能使用HTTP基本凭据(用户名和密码)来提供API,因为用户在站点上没有密码。
The problem is with this separation of OpenID for authentication and OAuth for authorization is that both protocols can accomplish many of the same things. They each provide a different set of features which are desired by different implementations but essentially, they are pretty interchangeable. At their core, both protocols are an assertion verification method (OpenID is limited to the 'this is who I am' assertion, while OAuth provides an 'access token' that can be exchanged for any supported assertion via an API).
2. 特性
这两种协议都为站点提供了一种方法,可以将用户重定向到其他地方,然后返回一个可验证的断言。OpenID提供身份断言,而OAuth以访问令牌的形式更为通用,可用于“向OAuth提供者询问问题”。但是,它们各自支持不同的特性:
OpenID - the most important feature of OpenID is its discovery process. OpenID does not require hard coding each the providers you want to use ahead of time. Using discovery, the user can choose any third-party provider they want to authenticate. This discovery feature has also caused most of OpenID's problems because the way it is implemented is by using HTTP URIs as identifiers which most web users just don't get. Other features OpenID has is its support for ad-hoc client registration using a DH exchange, immediate mode for optimized end-user experience, and a way to verify assertions without making another round-trip to the provider.
OAuth - the most important feature of OAuth is the access token which provides a long lasting method of making additional requests. Unlike OpenID, OAuth does not end with authentication but provides an access token to gain access to additional resources provided by the same third-party service. However, since OAuth does not support discovery, it requires pre-selecting and hard-coding the providers you decide to use. A user visiting your site cannot use any identifier, only those pre-selected by you. Also, OAuth does not have a concept of identity so using it for login means either adding a custom parameter (as done by Twitter) or making another API call to get the currently "logged in" user.
3.技术的实现
这两种协议在使用重定向获取用户授权方面具有共同的架构。在OAuth中,用户授权访问他们受保护的资源,在OpenID中,用户授权访问他们的身份。但这就是他们所有的共同点。
每个协议都有不同的方法来计算用于验证请求或响应的真实性的签名,并且每个协议都有不同的注册要求。
其他回答
OpenID、OAuth、OpenID Connect的区别解释:
OpenID is a protocol for authentication while OAuth is for authorization. Authentication is about making sure that the guy you are talking to is indeed who he claims to be. Authorization is about deciding what that guy should be allowed to do. In OpenID, authentication is delegated: server A wants to authenticate user U, but U's credentials (e.g. U's name and password) are sent to another server, B, that A trusts (at least, trusts for authenticating users). Indeed, server B makes sure that U is indeed U, and then tells to A: "ok, that's the genuine U". In OAuth, authorization is delegated: entity A obtains from entity B an "access right" which A can show to server S to be granted access; B can thus deliver temporary, specific access keys to A without giving them too much power. You can imagine an OAuth server as the key master in a big hotel; he gives to employees keys which open the doors of the rooms that they are supposed to enter, but each key is limited (it does not give access to all rooms); furthermore, the keys self-destruct after a few hours. To some extent, authorization can be abused into some pseudo-authentication, on the basis that if entity A obtains from B an access key through OAuth, and shows it to server S, then server S may infer that B authenticated A before granting the access key. So some people use OAuth where they should be using OpenID. This schema may or may not be enlightening; but I think this pseudo-authentication is more confusing than anything. OpenID Connect does just that: it abuses OAuth into an authentication protocol. In the hotel analogy: if I encounter a purported employee and that person shows me that he has a key which opens my room, then I suppose that this is a true employee, on the basis that the key master would not have given him a key which opens my room if he was not.
(源)
OpenID Connect与OpenID 2.0有何不同? OpenID Connect执行许多与OpenID 2.0相同的任务,但确实如此 以一种api友好的方式,在本地和移动设备上都可用 应用程序。OpenID Connect为健壮性定义了可选机制 签名和加密。而OAuth 1.0a和OpenID的集成 2.0需要一个扩展,在OpenID连接中,OAuth 2.0功能与协议本身集成。
(源)
OpenID connect will give you an access token plus an id token. The id token is a JWT and contains information about the authenticated user. It is signed by the identity provider and can be read and verified without accessing the identity provider. In addition, OpenID connect standardizes quite a couple things that oauth2 leaves up to choice. for instance scopes, endpoint discovery, and dynamic registration of clients. This makes it easier to write code that lets the user choose between multiple identity providers.
(源)
谷歌是2.0版的
谷歌的OAuth 2.0 api可用于身份验证和 授权。本文档描述了我们的OAuth 2.0实现 用于身份验证,符合OpenID Connect 规范,并且是OpenID认证。在 “OAuth 2.0访问谷歌接口”也适用于本业务。如果 如果您想以交互方式探索此协议,我们推荐 谷歌OAuth 2.0游乐场。
(源)
很多人仍然访问这个网站,这里有一个非常简单的图表来解释它
礼貌维基百科
OpenID和OAuth都是用于身份验证和/或授权的基于http的协议。两者都旨在允许用户执行操作,而无需向客户端或第三方提供身份验证凭据或全面权限。虽然它们是相似的,并且有建议将它们一起使用的标准,但它们是单独的协议。
OpenID用于联合身份验证。客户机接受来自任何提供者的身份断言(尽管客户机可以自由地将提供者列入白名单或黑名单)。
OAuth用于委托授权。客户端向提供者注册,提供者提供授权令牌,客户端接受这些授权令牌以代表用户执行操作。
OAuth目前更适合于授权,因为身份验证后的进一步交互被内置到协议中,但这两个协议都在不断发展。OpenID及其扩展可用于授权,OAuth可用于身份验证,可以将其视为无操作授权。
我目前正在研究OAuth 2.0和OpenID连接规范。以下是我的理解: 之前他们是:
OpenID was proprietary implementation of Google allowing third party applications like for newspaper websites you can login using google and comment on an article and so on other usecases. So essentially, no password sharing to newspaper website. Let me put up a definition here, this approach in enterprise approach is called Federation. In Federation, You have a server where you authenticate and authorize (called IDP, Identity Provider) and generally the keeper of User credentials. the client application where you have business is called SP or Service Provider. If we go back to same newspaper website example then newspaper website is SP here and Google is IDP. In enterprise this problem was earlier solved using SAML. that time XML used to rule the software industry. So from webservices to configuration, everything used to go to XML so we have SAML, a complete Federation protocol OAuth: OAuth saw it's emergence as an standard looking at all these kind of proprietary approaches and so we had OAuth 1.o as standard but addressing only authorization. Not many people noticed but it kind of started picking up. Then we had OAuth 2.0 in 2012. CTOs, Architects really started paying attention as world is moving towards Cloud computing and with computing devices moving towards mobile and other such devices. OAuth kind of looked upon as solving major problem where software customers might give IDP Service to one company and have many services from different vendors like salesforce, SAP, etc. So integration here really looks like federation scenario bit one big problem, using SAML is costly so let's explore OAuth 2.o. Ohh, missed one important point that during this time, Google sensed that OAuth actually doesn't address Authentication, how will IDP give user data to SP (which is actually wonderfully addressed in SAML) and with other loose ends like: a. OAuth 2.o doesn't clearly say, how client registration will happen b. it doesn't mention anything about the interaction between SP (Resource Server) and client application (like Analytics Server providing data is Resource Server and application displaying that data is Client)
从技术上讲,这里已经给出了很好的答案,我想到了给出简要的进化观点
在阅读和做了一些工作后,我认为我需要知道的事情是:OpenID Connect, OAuth, JWT和SAML。
我来总结一下,可能会对大家有所帮助:
OpenID连接(OIDC):如果我们可以使用谷歌帐户登录一个网站,那么您使用的是OIDC。
OAuth:一个应用程序想要访问我的facebook联系人列表,并代表我做一些事情。如果我授权这个应用程序,那么我可能正在使用OAuth。
JWT: OAuth使用JWT, JWT (JSON Web令牌)-它只是一种令牌格式。JWT令牌是JSON编码的数据结构,包含有关发行者、主题(索赔)、到期时间等信息。对它进行签名以防止篡改和真实性,并且可以使用对称或非对称方法对它进行加密以保护令牌信息。JWT比SAML 1.1/2.0更简单,所有设备都支持它,而且它比SWT(简单Web令牌)更强大。
OAuth中的授权流程:
OAuth 2.0协议为授权用户和获取访问令牌提供了几个工作流。这取决于客户端的类型和体系结构,哪个流是最合适的。
下面是2个最常用的授权流程:
授权码:适用于包含客户端和服务器组件的第三方网站。
用户向安全登录网页输入凭据。 登录后,浏览器被重定向到一个特殊的URL(由客户端定义),并在URL中传递一个授权代码。 第三方服务器使用授权代码在后台通过另一个HTTP请求获取访问令牌。 从https://developers.video.ibm.com/api-basics-authentication/
注意:如果你有一个前端应用程序,服务器在浏览器中设置了cookie,那么你的浏览器中已经有了cookie,可以访问该网站。
客户端凭证:开发服务器端应用程序以管理其内容或设置的用户的最佳选择。
IBM有一个很好的指南:https://developers.video.ibm.com/api-basics-authentication 要了解所有其他流的优点和缺点:这里:https://www.geeksforgeeks.org/workflow-of-oauth-2-0/
SAML:也用作openid的替代品,但它是基于xml的。因为开发人员发现OIDC更容易使用,而且它更灵活(例如,与基于xml的SAML相比,与移动应用程序一起使用更容易),OIDC看起来将成为赢家。
OpenID连接(OIDC)与SAML:主要区别:
SAML transmits user data in XML format. OIDC transmits user data in JSON format. SAML calls the user data it sends a SAML Assertion. OIDC calls the data Claims. SAML calls the application or system the user is trying to get into the Service Provider. OIDC calls it the Relying Party. SAML is old, has more features, but OpenID is gaining more popularity as it is easier to implement, easier to use than XML based SAML But not all identity providers support OpenID or SAML, if the identity provider you want to integrate only supports SAML, then you have no choice.
想要更多OpenID vs SAML?读下面: https://www.onelogin.com/blog/real-difference-saml-oidc https://auth0.com/intro-to-iam/saml-vs-openid-connect-oidc/
想要更多吗?你可以读一下OAuth和OpenID的类比: http://cakebaker.42dh.com/2008/04/01/openid-versus-oauth-from-the-users-perspective/