When it was first introduced in 2005, many believed, rightly so, that OpenID was the key to future secure logins on the web. The intention of creating OpenID was to streamline the login process for users with many accounts hosted by different websites.
Typically, it requires a user to have different passwords and usernames for each of the websites he intends to access, however many. For the majority of users, the idea of memorizing distinct passwords for each of their accounts hosted by different websites was unrealistic and impractical. Therefore, they would recycle a single username and password across several sites. This would jeopardize their online security. OpenID was designed to solve this problem.
The idea of OAuth was born towards the end of 2006, but it would take another year before OAuth Core 1.0 could be created. The people behind OAuth wanted to create an open standard that could be used to delegate API access.
Understanding OAuth and OpenID
OAuth works the same way that a valet key does for a luxury car owner. The valet key gives a parking attendant limited access to your car. The parking attendant could drive the car for, say, not more than two miles. Some luxury cars have valet keys that will not allow a parking attendant to use your car address book, onboard cellphone or access your trunk. OAuth gives websites limited access to your online credentials as a way of staying safe online.
While OpenID and OAuth perform similar functions, they are quite different. OpenID uses one identity to log into many different websites while OAuth gives access to a number of your private resources from the host site (referred to as the Service Provider) to a different website (referred to as the Consumer) without at all sharing the details of your identity.
Using OAuth and OpenID protocols
OpenID is an identity protocol for authentication (authN) while OAuth is an identity protocol for authorization (authZ). Authentication protocols provide proof of identity while authorization protocols describe the resources that a Consumer website can access from a Service Provider website. For instance, when you allow a social networking site like Facebook to access your email contacts stored in your Yahoo or Gmail account, you are approving authorization by use of the OAuth standard.
While you may not have realized it at the time, you have almost certainly used OpenID authentication protocol at some point. Indeed, if you have a WordPress, Yahoo, Blogger or Google account, you already possess an OpenID. You can use it to sign up and log into other websites that have enabled OpenID. Instead of using unique signing in details for that website, you use your existing sign in credentials from Google, Blogger, WordPress and other OpenID websites.
OAuth provides a standardized through which developers can avail their services to users using an API while staying away from the need to require those users to reveal their security credentials like passwords and usernames. OAuth gets users to give a website access to certain security credentials. OpenID exists to ascertain that a user is who he says he is. Therefore, the two identity protocols function seamlessly together.
OAuth 2.0 and OpenID Connect
OAuth 2.0 is the latest version of the OAuth identity protocol created in 2006. This authorization framework gives desktop applications, web applications, mobile phones, and other devices restricted access to user information on HTTP services like DigitalOcean, Facebook and GitHub.
OpenID Connect is the future of identity
OpenID connect is fast reaching maturity. And with large companies like Google behind it, there is every reason to believe that it will enjoy widespread adoption. Essentially, OpenID Connect is OpenID improved using the benefit of retrospection. It is designed as a replacement for existing online identity systems that the majority of internet users have known and used for years.
The old system that required users to create a username and password to access website resources will soon be overtaken by events. Given how data breaches have become such a common phenomenon, the security sector is working day and night to find a different and workable solution that is both secure and realistic.
In an attempt to improve online identity, financial institutions like banks often require a user to complete a multi-factor authentication process. In these protocols, the user is required to verify more than one item. To do this, he must have adequate knowledge of the item and have it in his possession. Often times, in addition to a username and password, the user might be asked to enter a code sent to his phone. Some jurisdictions use biometrics as part of the multi-factor authentication process.
Interoperable authentication protocol
OpenID Connect now enjoys an interoperable authentication protocol that allows developers to put up an authentication process that is considerably simple for their website users. They do this by outsourcing identity verification and sign-in protocols to respectable identity providers. Typically, these identity providers are tech firms that specialize in privacy and security protection for internet users.
OpenID is still a young technology but its popularity is growing rapidly. Some of the multinationals betting on the technology include PayPal, Google. Amazon Web Services and Microsoft. Today, OpenID is a consumer-oriented identity protocol. Nevertheless, its adoption is recording noteworthy growth within business-to-business circles.