我真的在试图理解OpenID和OAuth之间的区别?也许它们是完全不同的两件事?
当前回答
创建这两个协议的原因不同。创建OAuth是为了授权第三方访问资源。创建OpenID是为了执行分散的身份验证。本网站说明如下:
OAuth是一种用于验证终端用户身份并向第三方授予权限的协议。这个验证的结果是一个令牌。第三方可以使用这个令牌来代表用户访问资源。令牌有一个作用域。作用域用于验证用户是否可以访问某个资源
OpenID是用于分散身份验证的协议。认证是关于身份的;确定用户实际上就是他所声称的那个人。去中心化意味着该服务不知道需要保护的任何资源或应用程序的存在。这就是OAuth和OpenID之间的关键区别。
其他回答
我相信重新审视这个问题是有意义的,正如评论中所指出的,OpenID Connect的引入可能带来更多的困惑。
OpenID Connect是一种类似于OpenID 1.0/2.0的身份验证协议,但它实际上构建在OAuth 2.0之上,因此您将获得授权功能和身份验证功能。这两者之间的区别在这篇(相对较新的,但很重要的)文章中有很好的详细解释:http://oauth.net/articles/authentication/
如果您的用户只是想登录Facebook或Twitter,请使用OAuth。如果您的用户是运行自己的OpenID提供者的用户,请使用OpenID,因为他们“不希望其他人拥有自己的身份”。
我目前正在研究OAuth 2.0和OpenID连接规范。以下是我的理解: 之前他们是:
OpenID was proprietary implementation of Google allowing third party applications like for newspaper websites you can login using google and comment on an article and so on other usecases. So essentially, no password sharing to newspaper website. Let me put up a definition here, this approach in enterprise approach is called Federation. In Federation, You have a server where you authenticate and authorize (called IDP, Identity Provider) and generally the keeper of User credentials. the client application where you have business is called SP or Service Provider. If we go back to same newspaper website example then newspaper website is SP here and Google is IDP. In enterprise this problem was earlier solved using SAML. that time XML used to rule the software industry. So from webservices to configuration, everything used to go to XML so we have SAML, a complete Federation protocol OAuth: OAuth saw it's emergence as an standard looking at all these kind of proprietary approaches and so we had OAuth 1.o as standard but addressing only authorization. Not many people noticed but it kind of started picking up. Then we had OAuth 2.0 in 2012. CTOs, Architects really started paying attention as world is moving towards Cloud computing and with computing devices moving towards mobile and other such devices. OAuth kind of looked upon as solving major problem where software customers might give IDP Service to one company and have many services from different vendors like salesforce, SAP, etc. So integration here really looks like federation scenario bit one big problem, using SAML is costly so let's explore OAuth 2.o. Ohh, missed one important point that during this time, Google sensed that OAuth actually doesn't address Authentication, how will IDP give user data to SP (which is actually wonderfully addressed in SAML) and with other loose ends like: a. OAuth 2.o doesn't clearly say, how client registration will happen b. it doesn't mention anything about the interaction between SP (Resource Server) and client application (like Analytics Server providing data is Resource Server and application displaying that data is Client)
从技术上讲,这里已经给出了很好的答案,我想到了给出简要的进化观点
OAuth在授权之上构建身份验证:用户将对其身份的访问委托给应用程序,然后应用程序成为身份API的消费者,从而找出是谁首先授权了客户端http://oauth.net/articles/authentication/
很多人仍然访问这个网站,这里有一个非常简单的图表来解释它
礼貌维基百科