[magicalhippo]

It's different things though, or?

OAuth is about getting access to something, and usually part of that is proving to some authorization server that you are you (ie what OpenID is about), no?

Do you mean you'd like OAuth to tackle the "you are you" part as well?

[IshKebab]

That's probably like 30% of the uses of OAuth (e.g. granting Azure Pipelines access to your GitHub repos). 70% is just outsourcing identity and authentication (log in with Google / Facebook / etc.) In those cases the only data they access is your email, profile image, etc.

As a website developer I would definitely appreciate something like OpenID but actually usable/popular. Having to implement a ton of "log in with"s sucks, as does implementing email based login.

[sk5t]

> Having to implement a ton of "log in with"s sucks, as does implementing email based login.

This is kind of auth0's--but also most security token service things--raison d'etre: your app trusts just one authority and supports just one protocol, shunting any unauthenticated users to it, letting it handle the transaction with trusted identity providers.

[stopyellingatme]

100% agreed. I would love to find a language or library that makes one or both of them trivial.

[inopinatus]

GP has written authorisation but they must mean identification, because only a resource owner can perform authorisation, not some random external service.

[chrisweekly]

authN = autheNtication (identity / "who are you")

authZ = authoriZation (access / "what are you allowed to do")

[part1of2]

Also, in general

OAuth => think authZ

OIDC => think authN

[chrisweekly]

Yep.

And auth0 ("auth Zero, not letter o") is a company / service that offers both authN and authZ.