views:

1828

answers:

6

I working on a new website and wanted some advice/feedback on OAuth vs OpenID vs Standard site owned username/password.

+1  A: 

My impression of OAuth is that it's more for allowing secure, authenticated access to an API rather than for general user access.

Personally, I'd love to see more sites support OpenID.

Mark Biek
+11  A: 

You may want to read this article by Malcom Tredinnick which explains what openid and oauth are, and do. They serve different purposes.

In summary, openid would be used to uniquely identify users - it's an identity solution. oAuth would provide a means to interact with data that your site's users have access to by allowing the user to grant your site temporary access to external services, their flickr account, for example - it's an authorization tool.

Offering only the standard site-specific account is always an option, of course but IMHO, supporting openid is better for your users and for the web. Many sites that implement openid allow users to use an openid if they have one, but also allow users to sign in and create accounts without openid as well. So, it's not necessarily an either/or proposition. You can do both!

vezult
the article link is not working, is there any alternatives?
Pr0fess0rX
+2  A: 

Keep in mind that even if your site doesn't need to access your users' private data on other sites, OAuth may still apply if you site has data that users may want to access either through an API or from another web site. With OAuth, either end or both might apply to your site.

Andrew Arnott
A: 

You can combine all of them and get the best out of it, but it depends on your design choices.

For example if you are using Java, you can configure Acegi(Spring Security) to allow openID along with your normal authentication mechanism.

openID has OAuth extensions

OAuth has openID extensions

It's up to you...

tranced_UT3
A: 

JanRain lets you accept just about everything. Given that the big players will always want to be providers but not consumers, this may be the only realistic "universal" option.

JeffP
A: 

Here is the brilliantly clear explanation. Coming directly from the OAuth documentation.

Varun