OpenID is the technology that makes user to use a common login for different applications and sites.
- User has account at OpenID provider
- When user login from sites that use OpenID, there’s reply party that verify the user’s identity with the Open ID provider
- Share secret between relay party and OpenID
- Diffie Hellman Key Exchange
- OpenID checks if Realm and return_to URL match
- Relay Party checks return_to URL, OpenID Identifier, was Nonce never used before, fields signed, signature valid
OAuth on the other hand let applications access resource at the user’s service provider.
- User owns Resource at service provider and then grants consumer (applications, site, etc) access to Resource
- user register at some service provider. Identified by Token/Secret and callback URL
- all subsequent Requests must be signed with Secret, Nonce & Timestamp
References:
http://www.slideshare.net/rmetzler/identity-on-the-web-openid-vs-oauth
http://www.openaselect.org/trac/openaselect/wiki/OpenID
http://fireeagle.yahoo.net/developer/documentation/web_auth
{ 0 comments }