Difference Between oAuth and OpenID

Written by Neville HopeDecember 27, 2010

Imagine a single card in your nice slim wallet with a single PIN or password that is connected to all of these other cards: credit cards, debit cards, loyalty cards, store cards, club membership cards, etc etc. sitting at home in that fat bulging creaking old wallet. And now imagine that this one card can link up with your friends or work colleagues (if you want it to) and they can keep up to date with what you’re doing wherever you (and they) are.

There isn’t a card for that but there is something like that online, in fact two things; OAuth and OpenID.

OAuth (or Open Authentication to give it its full name) is a secure mode of data portability. With OAuth, any info you have on any website can be pooled with other websites. If you want to fully utilise OAuth you can allow a website to access your data from another website, without the hassle of multiple logins, by sending you back to the original site where you login and authorize the one-time transfer of data. Which cuts down on the risk of your login details being stolen, because you don’t need to give website A your logon details for website B.

But OAuth is not alone out there; there is also the similar but different OpenID, which is the open online identity protocol.

Instead of having to manage a massive list of log-in credentials for a big group of websites, OpenID gives users a single digital identity to manage their online information. Allowing a user to differentiate themselves via an identity-specific URL and then log on to any website that uses and recognises Open ID, using that self same URL, rather than trying to remember a user name and password.  Each time you need to log on to an (OpenID) website you will automatically be redirected to your very own Open ID site - meaning less time spent remembering all those different logins and passwords and more time spent doing what you actually want to do.

With Open ID, there is no risk that two web apps will carve-up and divide out your information without your permission. Open ID may hold some general information about you, e.g. some photos, addresses, phone numbers, etc., and with your consent, send it back to the supplier so you don’t have to re-enter all the boring profile details again.

OAuth and OpenID do kind of do vaguely similar things: they both live in the general domain of security, identity, and authorisation; they are both open web standard; they both celebrate decentralisation; neither has a central server and anyone is allowed to set up as a server or a client.

But they do have a different purpose.

In simple terms, OpenID is all about authentication - that is, proving that you are who you say you are - while OAuth is concerned with authorisation – meaning that it will allow access to data or functions, without requiring you to go through the original authentication. OAuth support services can be linked together without having to share logons and network keys which will then allow online services to interact. 

Recently Google and Plaxo made public a hybrid protocol which merges OpenID with OAuth. At present this is just a prototype running between Plaxo and Google, where a Plaxo member can invite somebody in via Gmail. In theory, this system will be more convenient and secure (as it doesn’t require the user to enter their password before scraping the data). And better for the site by bringing a far superior conversion rate on signup flows.

Maybe it will.

Happy surfing.

Social login powered by Gigya