Earlier I had a confusion with OpenID and OpenID Connect. I thought both are same. I think some of you also have the same thought. But both are different concepts.

Both OpenID and OpenID Connect are used for authentication but OAuth is used for authorization. That means, both are used for getting user information. But two activities are different.

What is OpenID?

We have a lot of profiles. So it is difficult to maintain passwords of all profiles. But OpenID solves all these issues. With OpenID you will need only a single username and password. You can create a single account with an ID and password in an identity provider, and that provider then confirms your identity to the websites you visit. Other than your provider, no website ever sees your password.

OpenID was introduced in 2005 . Several large organizations either issue or accept OpenIDs, including Google, Facebook, Yahoo!, Microsoft, AOL, MySpace, Sears, Universal Music Group, France Telecom, Novell, Sun, Telecom Italia, and many more. But nowadays openID becomes obsolete and OAuth becomes popular. During the that time, of OpenID solved many issues that could not be solved by Identity servers. It allowed for single sign on.

But today OpenID becomes obsolete , and OAuth and OpenID Connect have becomes popular.

How does OpenID work?

User owns an account at OpenID provider and he needs to prove his identity to the relying party.

An OpenID can be an Identifier or a URL.

  1. In order to get an OpenID, end-user should register himself in an OpenID provider. User needs to proves his identity in the relying party . So user should enter his OpenID when the relying party asks to enter. Any websites can accept OpenID to sign in their websites.
  • Example of an OpenID: htttp://piraveena.openid.com

You can sign in using this OpenID in any websites.

  • Authentication can be established in OpenID since each user can be identified using an OpenID.
  • So OpenID is decentralized. It is not owned by anyone. User can create an account at a OpenID provider and he needs to provides his credentials in each website when he logins.

See the picture below. Stackoverflow requests the user to enter his OpenID

sign in using openID- image source: slideshare

2. After entering the OpenID in the relying party, the relying party redirects the user to the OpenID provider.

3. Then user should authenticate himself to the OpenID provider.

4. After validating the user, OpenID provider redirects the user to the relying party.

5. Then the relying party allows the user to access his website.

  • The secret between Relying party and OpenID provider is exchanged using Diffie- Hellman exchange .

OpenID vs OAuth

The basic steps in OpenID :

  • User wants to access his account on example.com
  • example.com (Relying Party) asks the user for his OpenID
  • User enters his OpenID
  • example.com redirects the user to Google (OpenID provider)
  • User authenticates himself to the OpenID provider
  • OpenID provider redirects the user back to example.com
  • example.com allows the user to access his account

The basic steps in OAuth :

  • User wants to access his account on example.com
  • User is redirected to his Google (Identity Provider)
  • User authenticated himself to Google.
  • Identity Provider redirects the user back to example.com
  • example.com allows the user to access his account,

We can think OpenID as a draft of OAuth. OpenID becomes less popular after the introduction of OAuth. OAuth is introduced around 2007.

OAuth is centralized. That means only the authorization server owns user credentials.

In OAuth, each time when a user wants to login, he will be redirected to the login page of authorization server unlike OpenID. In OpenID, when a user wants to login to a third party app, he should enter his OpenID to the third party app. After that he will be redirected to the OpenID provider.This is the main difference between OAuth and OpenID.

OpenID provides authentication and OAuth provides authorization. That is why OAuth is considered as a highly secured one and it becomes popular.

OpenID vs OpenID Connect

Some people think OpenID and OpenID Connect are the same. But from the above explanation you could understand some basics of OpenID.

OpenID Connect is built on top of OAuth 2.0 and it uses an ID token to share user information with the relying party.

Both OAuth and OpenID Connect are centralized. User account is owned by the authorization server. But OpenID is decentralized.

I hope now you have understood the basics of OpenID !

Learn, code!

Software Engineer @WSO2, CSE Undergraduate @ University of Moratuwa, Former Software Engineering Intern @ WSO2