| Summary: | The combined use of OpenID and OAuth for authentication and authorization is gaining
popularity day by day in Internet. Because of its simplicity to understand, use and robustness,
they are used in many domains in web, especially where the apps and user base are huge like
social networking. Also it reduces the burden of typing the password every time for
authentication and authorization especially in hand-held gadgets.
After a simple problem scenario discussion, it is clear that the OpenID+OAuth combination has
some drawbacks from the authentication perspective. The two major problems discussed here
include problems caused due to transfer of user credentials over Internet and complexity in
setting up of two protocols separately for authentication and authorization.
Both the problems are addressed by extending OAuth2.0. By using Kerberos-like authentication,
the user has the possibility of not passing the credentials over Internet. It is worth to note that,
OAuth2.0 also uses some kind of tokens for authorizations similar to Kerberos. It could be seen
that extending OAuth2.0 to perform authentication removes the need for OpenID and its
problems completely.
|
|---|