2

I read many questions and answers on this forum stating that oAuth is for authorization, OpenID is for authentication and more than a few of them goes on to say that OpenID Connect provides authentication by abusing oAuth authorization.

Why the derogative tone? There is a very strong implication that this is bad, but I have not found any explanations for this, and while I understand the difference between authentication and authorization, I don't understand where anybody would use authorization without authentication, or more accurately, without attributability.

Actually that's not true, if I try I can think of situations where attributability is not important, but that won't work for my situation: I'm working on an online service which will allow registrations from users using FB, Twitter, Google+ and probably LinkedIn for authentication. The Front-end applications (web based and mobile, potentially controlled by third parties) should from my understanding use oAuth for access to the API/back-end services on a user's behalf.

For example, if I get a request from a front-end mobile app or a web site to access a user's messages, maybe like:

https://api.example.com/en/messages/userXid&filter=unread

I would need to know that the user signed into the application or web-site is not just authorized to read the messages resource, but that it is in fact the user who may read that specific mailbox.

But I digress, so: Is OpenID Connect bad somehow? I've seen the Wikipedia diagram ... can someone please explain what is wrong with that picture?

I'm ultimately trying to figure out what are all the pieces of the puzzle to create an architechture where:

a) Users register on the back-end and are authenticated via OpenID / Google / FB / etc
b) Users access the service via an independent front-end, eg a mobile app or web-site
c) Different users have different roles (Eg Staff and Customers) and can not access each other's personal or sensitive data
d) It is a multi-tenant service, so Staff from company A could actually be customers of company B and Company C!

FWIW: Some things that I've seen, which helps to confuse/clarify things for me:

Johan
  • 491
  • 5
  • 16

1 Answers1

1

Difference Between OAUTH, OpenID and OPENID Connect in very simple term?

Well this was on the side navbar.

It's like this:

If you are authorised to do activity A, you must possibly be the owner that can do activity A. Therefore you must be owner. Authorisation = Authentication. Whereas you could be authenticated but not authorised.

Community
  • 1
munchkin
  • 393
  • 1
  • 5
  • I see, so Maybe I need to experiment with the protocols, because I don't understand how a user can be authorized and you don't really KNOW who the user is. I'm going to ask a separate question about this. – Johan Jan 22 '15 at 09:35
  • I've added a new related question here: http://security.stackexchange.com/q/79805/66581 – Johan Jan 22 '15 at 09:53
  • Since obtaining the answer to my other question I am now even more strongly of the opinion that authorization without authenticated identification is only useful in a small set of cases - those where attributability is not important. However identification is easily added to oAuth2. – Johan Jan 23 '15 at 08:01
  • 1
    This all seems irrelevant. What if you desire authentication ONLY, without essentially mining a user's data (which is what authorization actually means)? OpenID Connect seems to eliminate that option. – Ber Sep 25 '16 at 08:26