What's the difference between OpenID and OAuth?

Question

I\'m really trying to understand the difference between OpenID and OAuth? Maybe they\'re two totally separate things?

Answer 1

OAuth 2.0 is a Security protocol. It is NEITHER an Authentication NOR an Authorization protocol.

Authentication by definition the answers two questions.

1. Who is the user?
2. Is the user currently present on the system?

OAuth 2.0 has the following grant types

• client_credentials: When one app needs to interact with another app and modify the data of multiple users.
• authorization_code: User delegates the Authorization server to issue an access_token that the client can use to access protected resource
• refresh_token: When the access_token expires, the refresh token can be leveraged to get a fresh access_token
• password: User provides their login credentials to a client that calls the Authorization server and receives an access_token

All 4 have one thing in common, access_token, an artifact that can be used to access protected resource.

The access_token does not provide the answer to the 2 questions that an "Authentication" protocol must answer.

An example to explain Oauth 2.0 (credits: OAuth 2 in Action, Manning publications)

Let's talk about chocolate. We can make many confections out of chocolate including, fudge, ice cream, and cake. But, none of these can be equated to chocolate because multiple other ingredients such as cream and bread are needed to make the confection, even though chocolate sounds like the main ingredient. Similarly, OAuth 2.0 is the chocolate, and cookies, TLS infrastucture, Identity Providers are other ingredients that are required to provide the "Authentication" functionality.

If you want Authentication, you may go for OpenID Connect, which provides an "id_token", apart from an access_token, that answers the questions that every authentication protocol must answer.