Gluu Blog

Follow us:
Back to Blog

OAuth vs. OpenID – What’s the difference?

Mike S. August 2, 2013

OAuth 2.0 is an authorization framework, not an authentication protocol. You can think of this framework as a common denominator for authorization.

OAuth2 was left generic so that it could be applied to many authorization requirements, like API access management, posting on someone’s wall, and using IOT services! That’s a good thing! You can use OAuth2 for a lot of cool tasks, one of which is person authentication.

OpenID Connect–not OpenID 1 or OpenID 2 (both previous versions are deprecated!)–is a profile of OAuth 2.0 that defines a workflow for authentication. The big difference between OpenID Connect and OAuth2 is the id_token. There is no id_token defined in OAuth2 because the id_token is specific to federated authentication.

Learn more on the OAuth.net blog: User Authentication with OAuth 2.0.

OpenID Connect is quite close to Google’s authentication API. The great thing about OpenID Connect is that it standardizes the flow for person authentication using OAuth2. Previously we had too many proprietary API’s that did the same thing.

For example, Google and Facebook both used OAuth 2.0 differently, as did a plethora of other websites (see everyauth). OpenID Connect represents years of work to align consumer IDPs (like Microsoft, Google, Yahoo…) and other industry participants on a single profile of OAuth 2.0 for authentication.

Along the way, OpenID Connect also defines standards for Discovery (Webfinger), Dynamic Client Registration (so you don’t have to ask every website for a client id and password manually…), and session management (logout).

For more information, you should check the OpenID Connect website.

The Gluu Server offers a free open source implementation of an OpenID Connect Provider (equivalent to a SAML IDP… Learn more about SAML in our blog: ike a How does SAML work?).

There is plenty of client code out there to secure applications with OpenID Connect, however we have found a pretty large variation in the quality of implementations. In order to better support end-to-end OpenID Connect integrations, Gluu recently released commercial client software called oxd (pronounced “ox-d”).

If you’re using a Gluu Server as your OP, your application can use any client software that implements the open standards the Gluu Server supports. However you may want to consider using oxd because:

  1. oxd is super-easy to use;
  2. We keep updating oxd to address the latest OAuth 2.0 security knowledge;
  3. There are oxd libraries for Php, Python, Java, Node, Ruby, C#, Perl and Go. If your application is programmed in another language, oxd has a simple JSON/REST API;
  4. There are oxd plugins for many popular applications like: WordPress, Drupal, Magento, OpenCart, SugarCRM, SuiteCRM, Roundcube, Shopify, and Kong. More are being added too. Next on the list are: MatterMost, RocketChat, NextCloud, and Liferay.

Questions? Just reach out![:ja]OAuth 2.0 is an authorization framework, not an authentication protocol. You can think of this framework as a common denominator for authorization.

OAuth2 was left generic so that it could be applied to many authorization requirements, like API access management, posting on someone’s wall, and using IOT services! That’s a good thing! You can use OAuth2 for a lot of cool tasks, of which one is person authentication.

“OpenID Connect” (not OpenID 1 or OpenID 2–both previous versions have been deprecated!…) is a profile of OAuth 2.0 that defines a workflow for authentication. The big difference between OpenID Connect and OAuth2 is the id_token. There is no id_token defined in OAuth2 because the id_token is specific to federated authentication.

OpenID Connect is quite close to Google’s authentication API. The great thing about OpenID Connect is that we had too many proprietary API’s that did the same thing: authenticate a person.

For example, Google and Facebook both used OAuth 2.0 differently, as did a plethora of other websites (see everyauth). OpenID Connect represents years of work to align consumer IDPs (like Microsoft, Google, Yahoo…) and other industry participants on a single profile of OAuth 2.0 for authentication.

Along the way, OpenID Connect also defines standards for Discovery (Webfinger), Dynamic Client Registration (so you don’t have to ask every website for a client id and password manually…), and session management (logout).

For more information, you should check the OpenID Connect website.

The Gluu Server offers a free open source implementation of an OpenID Connect Provider (equivalent to a SAML IDP… Learn more about SAML in our blog: ike a How does SAML work?).

There is plenty of client code out there to secure applications with OpenID Connect, however we have found a pretty large variation in the quality of implementations. In order to better support end-to-end OpenID Connect integrations, Gluu recently released commercial client software called oxd (pronounced “ox-d”).

If you’re using a Gluu Server as your OP, your application can use any client software that implements the open standards the Gluu Server supports. However you may want to consider using oxd because:

  1. oxd is super-easy to use;
  2. We keep updating oxd to address the latest OAuth 2.0 security knowledge;
  3. There are oxd libraries for Php, Python, Java, Node, Ruby, C#, Perl and Go. If your application is programmed in another language, oxd has a simple JSON/REST API;
  4. There are oxd plugins for many popular applications like: WordPress, Drupal, Magento, OpenCart, SugarCRM, SuiteCRM, Roundcube, Shopify, and Kong. More are being added too. Next on the list are: MatterMost, RocketChat, NextCloud, and Liferay.

Questions? Just reach out![:es]OAuth 2.0 is an authorization framework, not an authentication protocol. You can think of this framework as a common denominator for authorization.

OAuth2 was left generic so that it could be applied to many authorization requirements, like API access management, posting on someone’s wall, and using IOT services! That’s a good thing! You can use OAuth2 for a lot of cool tasks, of which one is person authentication.

“OpenID Connect” (not OpenID 1 or OpenID 2–both previous versions have been deprecated!…) is a profile of OAuth 2.0 that defines a workflow for authentication. The big difference between OpenID Connect and OAuth2 is the id_token. There is no id_token defined in OAuth2 because the id_token is specific to federated authentication.

OpenID Connect is quite close to Google’s authentication API. The great thing about OpenID Connect is that we had too many proprietary API’s that did the same thing: authenticate a person.

For example, Google and Facebook both used OAuth 2.0 differently, as did a plethora of other websites (see everyauth). OpenID Connect represents years of work to align consumer IDPs (like Microsoft, Google, Yahoo…) and other industry participants on a single profile of OAuth 2.0 for authentication.

Along the way, OpenID Connect also defines standards for Discovery (Webfinger), Dynamic Client Registration (so you don’t have to ask every website for a client id and password manually…), and session management (logout).

For more information, you should check the OpenID Connect website.

The Gluu Server offers a free open source implementation of an OpenID Connect Provider (equivalent to a SAML IDP… Learn more about SAML in our blog: ike a How does SAML work?).

There is plenty of client code out there to secure applications with OpenID Connect, however we have found a pretty large variation in the quality of implementations. In order to better support end-to-end OpenID Connect integrations, Gluu recently released commercial client software called oxd (pronounced “ox-d”).

If you’re using a Gluu Server as your OP, your application can use any client software that implements the open standards the Gluu Server supports. However you may want to consider using oxd because:

  1. oxd is super-easy to use;
  2. We keep updating oxd to address the latest OAuth 2.0 security knowledge;
  3. There are oxd libraries for Php, Python, Java, Node, Ruby, C#, Perl and Go. If your application is programmed in another language, oxd has a simple JSON/REST API;
  4. There are oxd plugins for many popular applications like: WordPress, Drupal, Magento, OpenCart, SugarCRM, SuiteCRM, Roundcube, Shopify, and Kong. More are being added too. Next on the list are: MatterMost, RocketChat, NextCloud, and Liferay.

Questions? Just reach out!

Be sure to subscibe to
our RSS Feed

Mike Schwartz

Mike has been an entrepreneur and identity specialist for more than two decades. He is the technical and business visionary behind Gluu. Mike is an application security expert and has been a featured speaker at RSA Conference, Gartner Catalyst, Cloud Identity Summity (now "Identiverse") and many other security conferences around the world.

Reader Interactions

Trackbacks