|
|
|
|
|
|
by christiansmith
4184 days ago
|
|
|
In fact, unlike previous OpenID protocols, OpenID Connect is a profile of OAuth 2.0. The conflation of authorization with authentication is an accident and a mistake. They are still quite separate concepts. Authentication is about verifying identity. Authorization is about privileges afforded a given identity. Access control models usually depend on some form of upstream authentication. The third-party authorization flows provided by OAuth are not intended to establish or verify a user's identity. Their purpose is to extend a user's access to a third-party in a limited way without sharing passwords. Social Sign-in is an accident of 3-Legged OAuth and its use for this purpose is considered a very weak form of authentication. OpenID Connect takes the best ideas from preceding identity protocols and incorporates them into OAuth flows, giving the best of both worlds. More information on all of the above here:
https://github.com/christiansmith/anvil-connect/wiki/Referen... |
|
|
Can anyone advocating OpenID connect give a single sentence explanation of why people (developers and users) would want to use it vs limited scope oauth?