OpenID versus oAuth 2

Alex Barth alex at developmentseed.org
Mon May 17 13:27:09 UTC 2010 

Small aside: I've implemented a similar workflow myself recently and  
I've avoided any changes of user account details on Relying Parties:

http://developmentseed.org/blog/2010/mar/02/simple-sign-openid

All changes to accounts properties (user name, email, etc) are done on  
the provider to avoid asynchronicities.

Alex

On May 17, 2010, at 12:03 AM, Manuel Lemos wrote:

> Hello,
>
> With this thread of using oAuth 2 for identity I am confused to which
> protocol should I use for a single sign-on solution that I need to
> implement.
>
> Let me explain my case and see if anybody can clarify what is the best
> solution for me.
>
> I have one site, lets call it site A, that has many user accounts. I
> want to build another site, lets call it site B, but I do not want  
> users
> with accounts in site A to create new accounts to access site B. They
> could just use the same account data from site A and use it in site B.
> In the future I may have sites C, D, etc..
>
> I thought of creating an OpenID authentication server, lets call it  
> OP,
> and migrate user account from site A to OP. When users go to site A  
> or B
> and need to login, they are redirected via OpenID to OP for  
> authentication.
>
> If successful, OP passes site A or B the account, personal name, nick
> name and e-mail when redirecting back to sites A or B, so those sites
> always have copies of that account information for imediate use.
>
> If the user updates one of those details in site A or B, they push the
> changes to OP and OP propagates the changes to the other site A or B
> that also has the same user account.
>
>> From the specifications that I read, OpenID and its extensions can be
> used the way I need.
>
> This will all be used only within my network sites. I do not intend to
> allow users to autheticate with external OpenID providers, nor I want
> other sites to use my OpenID provider to authenticate in other sites.
>
> Since this is meant for use restricted to my sites, I could invent a
> proprietary protocol, but I thought it was better to not reinvent  
> the wheel.
>
> I will develop all the necessary components to implement the OpenID
> provider and consumers with the needed extensions. Actually the  
> consumer
> component is mostly done.
>
> I was moving to the OpenID provider component when I noticed this  
> thread
> of using oAuth 2 for identity. So now I wonder if I am in the right
> path? Shall I keep doing it with OpenID or shall I do it with oAuth 2?
> Can anybody please shed some light so I can make the best decision?
>
> -- 
>
> Regards,
> Manuel Lemos
>
> Find and post PHP jobs
> http://www.phpclasses.org/jobs/
>
> PHP Classes - Free ready to use OOP components written in PHP
> http://www.phpclasses.org/
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs

Alex Barth
http://www.developmentseed.org/blog
tel (202) 250-3633

More information about the specs mailing list