Can they be used together? ....or are they two separate protocols that may or may not be useful depending on the context?
The reason I ask is because I'm trying to implement the following:
- User "Bob" goes to a Client implemented as a User-Agent only application.
- The protected resources are controlled by the same domain as the authentication/authorization server, but they are on different subdomains. However, no session is found in the cookies, so...
Bob clicks "login," and gets redirected to authorization/authentication server using something like the following:
GET https://accounts.example.com/authorize?response_type=token&client_id=123&redirect_uri=http://original.example.com&scope=openid profile token custom
Bob is given a list of options to choose from to authenticate, i.e., "example, google, twitter," etc. which leads to his authentication at example.com, which in turn is used for his authorization for a specific API hosted by example.com.
Should I be using OpenID Connect, OpenID 2.0, both? What? This is my first time implementing any of them. I'm only asking about the authentication part of this. I'm just trying to get Bob authenticated so that I can move on to issuing the token to the client.