Do I need to use OpenID or is OAuth enough?

Question

I'm working on a web based project where we make use of the user's Google feeds and we store some information about them in our database. We don't want to make users create accounts with us, but instead they sign in using their Google credentials. It's clear to me that we'll need OAuth, but I'm wondering about the OpenID part. Is there uniquely identifiable information about the user we can access via OAuth to keep track of their data across sessions on our end? If so, what would be the benefit of using OpenID?

Answer 1

OpenID and OAuth are (in theory if not in practice) used for two separate functions:

OpenID is means of managing identity and minimizing account creation. Example: I want to use my Google account to log in wherever I go.

OAuth is a means of sharing information about a user in a controlled yet open/interoperable fashion. Example: I want to allow Twitter to access my Google contacts without having to give Twitter my Google username and password.

What that means is that for login situations you want OpenID. If you need access to a user's data, you want OAuth. Some services, such as Twitter, have chosen to do login via OAuth, but that's a misuse of the protocol more than anything.

What's really cool these days, however, is that some providers are starting to do hybrid OpenID + OAuth so that the account login and information sharing authorization can be done in a single step instead of multiple steps. Google is one of the leaders in this arena. You can take a look at this Google blog post for a good overview of what they've been creating.

Hopefully that helps and gives you a better idea of what you're looking for.

Answer 2

My general advice would be that providing users with the option is a good thing. I login to this site with OpenID. It's quick and simple, so I have a better user experience this way.