OAuth? ,OpenID? Neither? Which one should my site

2019-01-31 12:46发布

I working on a new website and wanted some advice/feedback on OAuth vs OpenID vs Standard site owned username/password.

8条回答
Viruses.
2楼-- · 2019-01-31 13:24

Keep in mind that even if your site doesn't need to access your users' private data on other sites, OAuth may still apply if you site has data that users may want to access either through an API or from another web site. With OAuth, either end or both might apply to your site.

查看更多
Explosion°爆炸
3楼-- · 2019-01-31 13:24

You can combine all of them and get the best out of it, but it depends on your design choices.

For example if you are using Java, you can configure Acegi(Spring Security) to allow openID along with your normal authentication mechanism.

openID has OAuth extensions

OAuth has openID extensions

It's up to you...

查看更多
ら.Afraid
4楼-- · 2019-01-31 13:27

You may want to read this article by Malcom Tredinnick which explains what openid and oauth are, and do. They serve different purposes.

In summary, openid would be used to uniquely identify users - it's an identity solution. oAuth would provide a means to interact with data that your site's users have access to by allowing the user to grant your site temporary access to external services, their flickr account, for example - it's an authorization tool.

Offering only the standard site-specific account is always an option, of course but IMHO, supporting openid is better for your users and for the web. Many sites that implement openid allow users to use an openid if they have one, but also allow users to sign in and create accounts without openid as well. So, it's not necessarily an either/or proposition. You can do both!

查看更多
ら.Afraid
5楼-- · 2019-01-31 13:27

JanRain lets you accept just about everything. Given that the big players will always want to be providers but not consumers, this may be the only realistic "universal" option.

查看更多
小情绪 Triste *
6楼-- · 2019-01-31 13:36

I am in favor of supporting integrating user authorization using OpenID, Facebook and any other authenticators out there. Give the user a choice.

ALSO give them the option of not using them. Particularly in adult oriented websites your users may choose not to go with something that isn't as anonymous as a simple sign up to your website. Just use best practices when it comes to storing passwords.

查看更多
再贱就再见
7楼-- · 2019-01-31 13:43

My impression of OAuth is that it's more for allowing secure, authenticated access to an API rather than for general user access.

Personally, I'd love to see more sites support OpenID.

查看更多
登录 后发表回答