我真的在试图理解OpenID和OAuth之间的区别?也许它们是完全不同的两件事?
当前回答
OpenID和OAuth都是用于身份验证和/或授权的基于http的协议。两者都旨在允许用户执行操作,而无需向客户端或第三方提供身份验证凭据或全面权限。虽然它们是相似的,并且有建议将它们一起使用的标准,但它们是单独的协议。
OpenID用于联合身份验证。客户机接受来自任何提供者的身份断言(尽管客户机可以自由地将提供者列入白名单或黑名单)。
OAuth用于委托授权。客户端向提供者注册,提供者提供授权令牌,客户端接受这些授权令牌以代表用户执行操作。
OAuth目前更适合于授权,因为身份验证后的进一步交互被内置到协议中,但这两个协议都在不断发展。OpenID及其扩展可用于授权,OAuth可用于身份验证,可以将其视为无操作授权。
其他回答
OpenID和OAuth都是用于身份验证和/或授权的基于http的协议。两者都旨在允许用户执行操作,而无需向客户端或第三方提供身份验证凭据或全面权限。虽然它们是相似的,并且有建议将它们一起使用的标准,但它们是单独的协议。
OpenID用于联合身份验证。客户机接受来自任何提供者的身份断言(尽管客户机可以自由地将提供者列入白名单或黑名单)。
OAuth用于委托授权。客户端向提供者注册,提供者提供授权令牌,客户端接受这些授权令牌以代表用户执行操作。
OAuth目前更适合于授权,因为身份验证后的进一步交互被内置到协议中,但这两个协议都在不断发展。OpenID及其扩展可用于授权,OAuth可用于身份验证,可以将其视为无操作授权。
我目前正在研究OAuth 2.0和OpenID连接规范。以下是我的理解: 之前他们是:
OpenID was proprietary implementation of Google allowing third party applications like for newspaper websites you can login using google and comment on an article and so on other usecases. So essentially, no password sharing to newspaper website. Let me put up a definition here, this approach in enterprise approach is called Federation. In Federation, You have a server where you authenticate and authorize (called IDP, Identity Provider) and generally the keeper of User credentials. the client application where you have business is called SP or Service Provider. If we go back to same newspaper website example then newspaper website is SP here and Google is IDP. In enterprise this problem was earlier solved using SAML. that time XML used to rule the software industry. So from webservices to configuration, everything used to go to XML so we have SAML, a complete Federation protocol OAuth: OAuth saw it's emergence as an standard looking at all these kind of proprietary approaches and so we had OAuth 1.o as standard but addressing only authorization. Not many people noticed but it kind of started picking up. Then we had OAuth 2.0 in 2012. CTOs, Architects really started paying attention as world is moving towards Cloud computing and with computing devices moving towards mobile and other such devices. OAuth kind of looked upon as solving major problem where software customers might give IDP Service to one company and have many services from different vendors like salesforce, SAP, etc. So integration here really looks like federation scenario bit one big problem, using SAML is costly so let's explore OAuth 2.o. Ohh, missed one important point that during this time, Google sensed that OAuth actually doesn't address Authentication, how will IDP give user data to SP (which is actually wonderfully addressed in SAML) and with other loose ends like: a. OAuth 2.o doesn't clearly say, how client registration will happen b. it doesn't mention anything about the interaction between SP (Resource Server) and client application (like Analytics Server providing data is Resource Server and application displaying that data is Client)
从技术上讲,这里已经给出了很好的答案,我想到了给出简要的进化观点
如果您的用户只是想登录Facebook或Twitter,请使用OAuth。如果您的用户是运行自己的OpenID提供者的用户,请使用OpenID,因为他们“不希望其他人拥有自己的身份”。
OpenID(主要)用于识别/身份验证,这样stackoverflow.com就知道我拥有chris.boyle.name(或任何位置),因此我可能就是昨天拥有chris.boyle.name并获得一些声誉点的同一个人。
OAuth是为授权代表您执行操作而设计的,因此stackoverflow.com(或任何地方)可以请求许可,例如,自动代表您发送Tweet,而不需要知道您的Twitter密码。
OpenId -仅用于身份验证。
OAuth—用于身份验证和授权。授权依赖于access_token,它是JWT令牌的一部分。它可以包含用户权限的详细信息或任何有用的信息。
两者都可以依赖第三方认证提供商来维护他们的帐户。例如,OKTA身份提供者,User在OKTA登录页面上提供凭据,在成功登录时,用户被重定向到消费者应用程序,头部有JWT令牌。
