Facebook, OpenID, oAuth and the Future of Authorization

Written by AnonymousMarch 4, 2011

With Facebook joining the OpenID Foundation, and more and more websites integrating their services with other third-party websites via oAuth and OpenID, its quite obvious the future of the web is relying on these authorization technologies to provide a fluid end user experience. However, in order to understand exactly how this will impact end users, site owners, and content creators, first we have to explore exactly what these technologies do.

What is OpenID?

OpenID is essentially a protocol adopted by websites allowing them to authenticate users via third-party services. Much like Facebook’s proprietary Facebook Connect authentication technology, OpenID allows you to use one username and password to sign in and sign up to any OpenID enabled website.

Many users do not realize that they’re most likely already using the authentication technology on a daily basis. If you have an account for services such as Google, Yahoo, Blogger, flickr, AOL, or WordPress, you already have an OpenID. Your account username and password associated with any one of these services will act as your ID when registering or signing in to any OpenID enabled website.

How does OpenID differ from oAuth?

While OpenID is based on authentication, the oAuth Open Authorization standard is based on authorization. For end users, this allows you to grant a website permission to content stored on a third-party service or site without providing them with your username or password. For example, when granting a website permission to access your Gmail or Yahoo contacts or account information, you are using the oAuth standard to approve the authorization.

Facebook Connect vs. OpenID

Asking the question, “Can Facebook Connect and OpenID co-exist?” is like asking the question, “Can proprietary and open source software co-exist?” Avid Facebook users will most likely be more inclined to use Facebook Connect, while those that use Google services more often will probably be more inclined to use OpenID with their Google account username and password. Of course the adoption of these different protocols by websites will largely sway which methods of authorization and authentication rule the web. With these technologies and standards still quite new to the online world, the real question is what’s the future of authorization online

The Future of Authorization Online

The obvious future of authorization online is the merging of OpenID and oAuth-like protocols, which is basically what Facebook Connect already does. Google has already done this in what they call the “Hybrid Protocol” OpenID endpoint. This allows websites to request authorization and authentication in a single process and greatly reduce browser redirects and latency.

Many visualize the future of authorization and authentication to be one more focused on the integration of web services and apps rather than simply a protocol that makes it easier to register and utilize websites. Facebook has already partnered with sites such as Pandora and Microsoft Docs, allowing users to access the sites without any login or authorization process. As long as users are logged into their Facebook account, these services are automatically accessible, essentially making the Pandora and Microsoft Docs website an extension or web app for Facebook users. If this is any indication of the future of authorization and authentication, it will be one where utilizing OpenID and oAuth protocols is much less apparent to the end user.

Social login powered by Gigya