tags:

views:

1828

answers:

6
+8  Q: 

OAuth? ,OpenID? Neither? Which one should my site support?

I working on a new website and wanted some advice/feedback on OAuth vs OpenID vs Standard site owned username/password.

+1  A: 

My impression of OAuth is that it's more for allowing secure, authenticated access to an API rather than for general user access.

Personally, I'd love to see more sites support OpenID.

Mark Biek  2009-04-29 14:55:35
+11  A: 

You may want to read this article by Malcom Tredinnick which explains what openid and oauth are, and do. They serve different purposes.

In summary, openid would be used to uniquely identify users - it's an identity solution. oAuth would provide a means to interact with data that your site's users have access to by allowing the user to grant your site temporary access to external services, their flickr account, for example - it's an authorization tool.

Offering only the standard site-specific account is always an option, of course but IMHO, supporting openid is better for your users and for the web. Many sites that implement openid allow users to use an openid if they have one, but also allow users to sign in and create accounts without openid as well. So, it's not necessarily an either/or proposition. You can do both!

vezult  2009-04-29 14:56:53
the article link is not working, is there any alternatives?
Pr0fess0rX  2010-10-12 08:21:39
+2  A: 

Keep in mind that even if your site doesn't need to access your users' private data on other sites, OAuth may still apply if you site has data that users may want to access either through an API or from another web site. With OAuth, either end or both might apply to your site.

Andrew Arnott  2009-05-01 02:10:55
A: 

You can combine all of them and get the best out of it, but it depends on your design choices.

For example if you are using Java, you can configure Acegi(Spring Security) to allow openID along with your normal authentication mechanism.

openID has OAuth extensions

OAuth has openID extensions

It's up to you...

tranced_UT3  2009-05-05 13:37:47
A: 

JanRain lets you accept just about everything. Given that the big players will always want to be providers but not consumers, this may be the only realistic "universal" option.

JeffP  2009-06-05 13:27:46
A: 

Here is the brilliantly clear explanation. Coming directly from the OAuth documentation.

Varun  2010-01-06 14:39:46

related questions

how to get login credentials by openId?
OpenID Migration
PHP Tutorial for OpenId and OAuth
OpenID login workflow?
OpenID support for Ruby on Rails application
Using OpenID for both .NET/Windows and PHP/Linux/Apache web sites
What is the benefit of using ONLY OpenID authentication on a site?
Problems with migrating Cardspace cards between computers
secure way to authenticate administrator in ASP.NET site using OpenID with DotNetOpenID
How do I enable open id on a Java Webapp?
What would it take to make OpenID mainstream?
What's the best .NET library for OpenID and ASP.NET MVC?
Useful browser plugins for openid authentication?
How do I implement an OpenID server in Rails?
How do I implement OpenID in my web application?
Why is HTML form redirection used in OpenID 2?
How do you set up an OpenID provider (server) in Ubuntu?
OpenID as a Single Sign On option??
Should my website abandon username/password authentication in favor of OpenID?
OpenID authentication in ASP.NET?
Open ID - What happens when you decide you don't like your existing provider?
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
How do I use more than one OpenID?