OAuth and Its Impact on OpenID

Written by Scott NesbittMarch 4, 2011

The password has truly become the bane of most Internet users. It's been that way since ... well, since Web sites required you to log into them with a user name and password. Just think of how many passwords you have. It's probably more than a couple. Keeping track of them can be an almost impossible chore.

That's where a technology called OpenID was supposed to shine. OpenID enables you to log into multiple Web sites and services with a single, secure set of credentials. 

But today's socially-enabled Web adds a new wrinkle to all of this: how to share data between two Web-based services. Say, for example, you want you want to back up all those tweets you've posted over the years. You can't do that from within Twitter, but you can use a third-party application like Tweetake. The problem is that you can't use OpenID to log into both services and have them exchange data. 

That's where OAuth comes in. It's a technology that enables Web sites and services to securely share data, not just allowing users to securely log in. 

It's not a stretch to say that OAuth goes beyond what OpenID was designed to do. But what impact does OAuth have on OpenID? Let's find out ... 

OAuth: The OpenID Killer?

When OAuth was first announced, there were people who thought that it would put some nails in the coffin of OpenID. While it was a good idea, OpenID really didn't catch on the way it was expected to or should have. 

The response to OpenID was decidedly lukewarm. Sure, AOL had over 60 million OpenID users at one point. But many service providers found that their users weren't taking advantage of OpenID. Web apps developer 37Signals, for example, found that less than 1% of its user base took advantage of OpenID support in the company's products. And as of May 1, 2011, the company is phasing out its OpenID support. And popular services like Twitter, Facebook, Netflix, Evernote, and Meetup.com have embraced OAuth.

That said, OpenID isn't useless. Nor is it dead. Sure, OAuth has stolen quite a bit of OpenID's thunder. But the two technologies, while similar, can actually complement each other.

The best of both worlds

On one side, we have OpenID which is intended to enable secure logins within a Web browser. On the other side, we have OAuth which enables sites to securely exchange data. But can both technologies co-exist? They can, they definitely complement each other. In fact, in some ways OAuth has given OpenID a new lease on life.

How? By skillfully mashing the two together into a technology called federated login (also called federated identity). Federated login takes advantage of OpenID to provide user authentication and OAuth to authorize one site to pull in data from another.

Google is one of the Web service providers that has been offering federated login for several years now. And it's not just between Google's own suite of Web applications but with a number of third-party applications. Take, for example, PamFax (an online fax service). You can log into PamFax using your Google user name and password. That's the OpenID part, but where does OAuth come in? You can use PamFax to fax documents from your Google Docs account.

By combining an OpenID's authorization features with OAuth's authentication features, you get the best of both worlds. It's a mix that's well suited to an online world in which users are demanding more and more integration between Web services. And without OAuth, this would be a lot more difficult. OpenID definitely couldn't shoulder that weight alone.

Summing up

Far from replacing OpenID, OAuth has helped to give it something of a new lease on life. Today's Web, with its demand for interoperability and an easy way to share data brought, what was a seemingly waning user technology together with a new standard for data exchange. And that merger expanded the possibilities of the socially-enabled Web. 


Social login powered by Gigya