我真的在试图理解OpenID和OAuth之间的区别?也许它们是完全不同的两件事?
当前回答
OpenID是由OpenID基金会控制的一个开放标准和分散的身份验证协议。 OAuth是访问授权的开放标准。 OpenID连接(OIDC)结合了OpenID和OAuth的特性,即同时进行身份验证和授权。
OpenID采用由某个“OpenID提供者”即身份提供者(idP)管理的唯一URI的形式。
OAuth可以与XACML结合使用,其中OAuth用于所有权同意和访问委托,而XACML用于定义授权策略。
OIDC使用简单的JSON Web令牌(JWT),您可以使用符合OAuth 2.0规范的流来获得它。OAuth与OIDC直接相关,因为OIDC是建立在OAuth 2.0之上的身份验证层。
例如,如果您选择使用谷歌帐户登录到Auth0,那么您使用的是OIDC。一旦您成功地使用谷歌进行身份验证并授权Auth0访问您的信息,谷歌将向Auth0发送有关用户和所执行的身份验证的信息。该信息以JSON Web令牌(JWT)的形式返回。您将收到一个访问令牌,如果需要,还会收到一个ID令牌。令牌类型:源:OpenID连接
类比: 一个组织使用ID卡作为识别目的,它包含芯片,它存储关于员工的详细信息以及授权,即校园/大门/ODC访问。ID卡作为OIDC,芯片作为OAuth。更多的例子和形式wiki
其他回答
OpenId使用OAuth来处理身份验证。
通过类比,就像。net依赖于Windows API。你可以直接调用Windows API,但是它太宽了,太复杂了,方法参数太大了,你很容易犯错误/bug /安全问题。
OpenId/OAuth也是如此。OpenId依赖于OAuth来管理身份验证,但定义了特定的令牌(Id_token)、数字签名和特定的流。
如果您的用户只是想登录Facebook或Twitter,请使用OAuth。如果您的用户是运行自己的OpenID提供者的用户,请使用OpenID,因为他们“不希望其他人拥有自己的身份”。
我目前正在研究OAuth 2.0和OpenID连接规范。以下是我的理解: 之前他们是:
OpenID was proprietary implementation of Google allowing third party applications like for newspaper websites you can login using google and comment on an article and so on other usecases. So essentially, no password sharing to newspaper website. Let me put up a definition here, this approach in enterprise approach is called Federation. In Federation, You have a server where you authenticate and authorize (called IDP, Identity Provider) and generally the keeper of User credentials. the client application where you have business is called SP or Service Provider. If we go back to same newspaper website example then newspaper website is SP here and Google is IDP. In enterprise this problem was earlier solved using SAML. that time XML used to rule the software industry. So from webservices to configuration, everything used to go to XML so we have SAML, a complete Federation protocol OAuth: OAuth saw it's emergence as an standard looking at all these kind of proprietary approaches and so we had OAuth 1.o as standard but addressing only authorization. Not many people noticed but it kind of started picking up. Then we had OAuth 2.0 in 2012. CTOs, Architects really started paying attention as world is moving towards Cloud computing and with computing devices moving towards mobile and other such devices. OAuth kind of looked upon as solving major problem where software customers might give IDP Service to one company and have many services from different vendors like salesforce, SAP, etc. So integration here really looks like federation scenario bit one big problem, using SAML is costly so let's explore OAuth 2.o. Ohh, missed one important point that during this time, Google sensed that OAuth actually doesn't address Authentication, how will IDP give user data to SP (which is actually wonderfully addressed in SAML) and with other loose ends like: a. OAuth 2.o doesn't clearly say, how client registration will happen b. it doesn't mention anything about the interaction between SP (Resource Server) and client application (like Analytics Server providing data is Resource Server and application displaying that data is Client)
从技术上讲,这里已经给出了很好的答案,我想到了给出简要的进化观点
OpenID是由OpenID基金会控制的一个开放标准和分散的身份验证协议。 OAuth是访问授权的开放标准。 OpenID连接(OIDC)结合了OpenID和OAuth的特性,即同时进行身份验证和授权。
OpenID采用由某个“OpenID提供者”即身份提供者(idP)管理的唯一URI的形式。
OAuth可以与XACML结合使用,其中OAuth用于所有权同意和访问委托,而XACML用于定义授权策略。
OIDC使用简单的JSON Web令牌(JWT),您可以使用符合OAuth 2.0规范的流来获得它。OAuth与OIDC直接相关,因为OIDC是建立在OAuth 2.0之上的身份验证层。
例如,如果您选择使用谷歌帐户登录到Auth0,那么您使用的是OIDC。一旦您成功地使用谷歌进行身份验证并授权Auth0访问您的信息,谷歌将向Auth0发送有关用户和所执行的身份验证的信息。该信息以JSON Web令牌(JWT)的形式返回。您将收到一个访问令牌,如果需要,还会收到一个ID令牌。令牌类型:源:OpenID连接
类比: 一个组织使用ID卡作为识别目的,它包含芯片,它存储关于员工的详细信息以及授权,即校园/大门/ODC访问。ID卡作为OIDC,芯片作为OAuth。更多的例子和形式wiki
OpenID证明你是谁。
OAuth授予对授权方提供的特性的访问权。