Many people say that OpenID is for Authentication and OAuth is for Authorization. <div><br></div><div>This does not seem to be an accurate statement. </div><div><br></div><div>In fact, OpenID does not do the "authentication" in the narrow meaning and </div>
<div>OAuth does not do the "authorization" in the narrow meaning. </div><div><br></div><div>More accurate characterization would be something like: </div><div><br></div><div>OpenID is a Digital Identity Framework that that conveys the authorization decision and identity attributes/data of an authenticated identity from the identity provider (OpenID provider, OP) to a requesting party called relying party (RP). </div>
<div><br></div><div>OAuth is a protocol that allows one to delegate the access authorization to a resource to a third party. (<= need better wording.) </div><div><br></div><div>Any discussion? <br clear="all"><br>-- <br>
Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/">http://www.sakimura.org/en/</a><br><a href="http://twitter.com/_nat_en">http://twitter.com/_nat_en</a><br>
</div>