OpenID and OAuth for SSO
In my previous post about SSO for webapplications I have missed the obvious - why not use OpenId and OAuth.
It is important however to know the difference between the two. OpenId is used for authentication - is the user who he says he is - and OAuth is used for authorization is this specific user allowed to do this specific action. Well, in the case of OAuth i guess it is more, is this application allowed to do this action on behalf of this user. A use case described in the post OpenID & OAuth – complimentary or competing? is:
Let’s say you are registering as a delegate on a conference website. With OAuth it is possible for the conference website to automatically add the event to your google calendar or yahoo calendar with your consent (assuming google and yahoo support OAuth). How does it work ? Well, once you decide to let the conference website add an event to your google calendar, you get redirected to google. On google , you explicitly authorize the conference website to modify your calendar. After this authorization, the conference website will have permission to modify your calendar data.
The problem with OAuth is that you have to login to every site that you wish to give an application access to. For this reason Google has published a hybrid protocol, and tries to make this a new standard. They created a demo, and released the source for that.
This really looks like a technique that could be used for my applications. I am looking into this, and hopefully will have a quick tutorial on the subject in the near future.