我想谈谈这个问题的一个特定方面，如以下评论所述:

OAuth:在授予某些特性的访问权限之前，必须进行身份验证，对吗?所以OAuth =什么OpenId +授予访问某些功能?- Hassan Makarov 6月21日1:57

是的……也没有。答案很微妙，所以请耐心听我说。

当OAuth流将您重定向到目标服务(即OAuth提供者)时，您很可能需要在将令牌交还给客户机应用程序/服务之前使用该服务进行身份验证。然后，生成的令牌允许客户端应用程序代表给定用户发出请求。

注意最后一句话的一般性:具体来说，我写的是“代表给定用户”，而不是“代表您”。一个常见的错误是假设“拥有与给定用户拥有的资源交互的能力”意味着“您和目标资源的所有者是同一人”。

不要犯这样的错误。

虽然您确实使用OAuth提供者进行身份验证(例如，通过用户名和密码，或者SSL客户端证书或其他方式)，但客户端获得的回报不应该被视为身份证明。例如，在一个流中，对另一个用户的资源的访问被委托给您(通过代理，OAuth客户端)。授权并不意味着身份验证。

要处理身份验证，您可能需要研究OpenID Connect，它本质上是OAuth 2.0设置的基础之上的另一层。以下是关于OpenID Connect(在我看来)最突出的一点(来自https://oauth.net/articles/authentication/):)

OpenID Connect is an open standard published in early 2014 that defines an interoperable way to use OAuth 2.0 to perform user authentication. In essence, it is a widely published recipe for chocolate fudge that has been tried and tested by a wide number and variety of experts. Instead of building a different protocol to each potential identity provider, an application can speak one protocol to as many providers as they want to work with. Since it's an open standard, OpenID Connect can be implemented by anyone without restriction or intellectual property concerns. OpenID Connect is built directly on OAuth 2.0 and in most cases is deployed right along with (or on top of) an OAuth infrastructure. OpenID Connect also uses the JSON Object Signing And Encryption (JOSE) suite of specifications for carrying signed and encrypted information around in different places. In fact, an OAuth 2.0 deployment with JOSE capabilities is already a long way to defining a fully compliant OpenID Connect system, and the delta between the two is relatively small. But that delta makes a big difference, and OpenID Connect manages to avoid many of the pitfalls discussed above by adding several key components to the OAuth base: [...]

The document then goes on to describe (among other things) token IDs and a UserInfo endpoint. The former provides a set of claims (who you are, when the token was issued, etc, and possibly a signature to verify the authenticity of the token via a published public key without having to ask the upstream service), and the latter provides a means of e.g. asking for the user's first/last name, email, and similar bits of info, all in a standardized way (as opposed to the ad-hoc extensions to OAuth that people used before OpenID Connect standardized things).

更多的是对问题的延伸而不是答案，但它可能会为上面伟大的技术答案增加一些视角。我是一个在很多领域都很有经验的程序员，但是在网页编程方面完全是个新手。现在尝试使用Zend框架构建一个基于web的应用程序。

Definitely will implement an application-specific basic username/password authentication interface, but recognize that for a growing number of users the thought of yet another username and password is a deterrent. While not exactly social networking, I know that a very large percentage of the application's potential users already have facebook or twitter accounts. The application doesn't really want or need to access information about the user's account from those sites, it just wants to offer the convenience of not requiring the user to set up new account credentials if they don't want to. From a functionality point of view, that would seem a poster child for OpenID. But it seems that neither facebook nor twitter are OpenID providers as such, though they do support OAuth authentication to access their user's data.

在我读过的所有关于这两者及其区别的文章中，直到我看到上面Karl Anderson的观察，“OAuth可以用于身份验证，这可以被认为是一种无操作授权”，我才看到任何明确的确认OAuth足以满足我想要做的事情。

In fact, when I went to post this "answer", not being a member at the time, I looked long and hard at the bottom of this page at the options for identifying myself. The option for using an OpenID login or obtaining one if I didn't have one, but nothing about twitter or facebook, seemed to suggest that OAuth wasn't adequate for the job. But then I opened another window and looked for the general signup process for stackoverflow - and lo and behold there's a slew of 3rd-party authentication options including facebook and twitter. In the end I decided to use my google id (which is an OpenID) for exactly the reason that I didn't want to grant stackoverflow access to my friends list and anything else facebook likes to share about its users - but at least it's a proof point that OAuth is adequate for the use I had in mind.

It would really be great if someone could either post info or pointers to info about supporting this kind of multiple 3rd-part authorization setup, and how you deal with users that revoke authorization or lose access to their 3rd party site. I also get the impression that my username here identifies a unique stackoverflow account that I could access with basic authentication if I wanted to set it up, and also access this same account through other 3rd-party authenticators (e.g. so that I would be considered logged in to stackoverflow if I was logged in to any of google, facebook, or twitter...). Since this site is doing it, somebody here probably has some pretty good insight on the subject. :-)

很抱歉这篇文章写了这么长时间，而且更多的是一个问题而不是一个答案——但是Karl的评论似乎是在OAuth和OpenID上大量的帖子中最合适的地方。如果我没有找到更好的地方，我提前道歉，我确实试过了。

有三种方法可以比较OAuth和OpenID:

1. 目的

OpenID是为联邦身份验证而创建的，也就是说，允许第三方使用用户已经拥有的帐户为您验证用户身份。联合这个术语在这里非常重要，因为OpenID的全部意义在于可以使用任何提供者(白名单除外)。你不需要预先选择或与提供商协商协议，以允许用户使用他们拥有的任何其他帐户。

OAuth的创建是为了消除用户与第三方应用程序共享密码的需要。它实际上是作为解决OpenID问题的一种方式开始的:如果您在站点上支持OpenID，则不能使用HTTP基本凭据(用户名和密码)来提供API，因为用户在站点上没有密码。

The problem is with this separation of OpenID for authentication and OAuth for authorization is that both protocols can accomplish many of the same things. They each provide a different set of features which are desired by different implementations but essentially, they are pretty interchangeable. At their core, both protocols are an assertion verification method (OpenID is limited to the 'this is who I am' assertion, while OAuth provides an 'access token' that can be exchanged for any supported assertion via an API).

2. 特性

这两种协议都为站点提供了一种方法，可以将用户重定向到其他地方，然后返回一个可验证的断言。OpenID提供身份断言，而OAuth以访问令牌的形式更为通用，可用于“向OAuth提供者询问问题”。但是，它们各自支持不同的特性:

OpenID - the most important feature of OpenID is its discovery process. OpenID does not require hard coding each the providers you want to use ahead of time. Using discovery, the user can choose any third-party provider they want to authenticate. This discovery feature has also caused most of OpenID's problems because the way it is implemented is by using HTTP URIs as identifiers which most web users just don't get. Other features OpenID has is its support for ad-hoc client registration using a DH exchange, immediate mode for optimized end-user experience, and a way to verify assertions without making another round-trip to the provider.

OAuth - the most important feature of OAuth is the access token which provides a long lasting method of making additional requests. Unlike OpenID, OAuth does not end with authentication but provides an access token to gain access to additional resources provided by the same third-party service. However, since OAuth does not support discovery, it requires pre-selecting and hard-coding the providers you decide to use. A user visiting your site cannot use any identifier, only those pre-selected by you. Also, OAuth does not have a concept of identity so using it for login means either adding a custom parameter (as done by Twitter) or making another API call to get the currently "logged in" user.

3.技术的实现

这两种协议在使用重定向获取用户授权方面具有共同的架构。在OAuth中，用户授权访问他们受保护的资源，在OpenID中，用户授权访问他们的身份。但这就是他们所有的共同点。

每个协议都有不同的方法来计算用于验证请求或响应的真实性的签名，并且每个协议都有不同的注册要求。

OpenID(主要)用于识别/身份验证，这样stackoverflow.com就知道我拥有chris.boyle.name(或任何位置)，因此我可能就是昨天拥有chris.boyle.name并获得一些声誉点的同一个人。

OAuth是为授权代表您执行操作而设计的，因此stackoverflow.com(或任何地方)可以请求许可，例如，自动代表您发送Tweet，而不需要知道您的Twitter密码。

我想谈谈这个问题的一个特定方面，如以下评论所述:

OAuth:在授予某些特性的访问权限之前，必须进行身份验证，对吗?所以OAuth =什么OpenId +授予访问某些功能?- Hassan Makarov 6月21日1:57

是的……也没有。答案很微妙，所以请耐心听我说。

当OAuth流将您重定向到目标服务(即OAuth提供者)时，您很可能需要在将令牌交还给客户机应用程序/服务之前使用该服务进行身份验证。然后，生成的令牌允许客户端应用程序代表给定用户发出请求。

注意最后一句话的一般性:具体来说，我写的是“代表给定用户”，而不是“代表您”。一个常见的错误是假设“拥有与给定用户拥有的资源交互的能力”意味着“您和目标资源的所有者是同一人”。

不要犯这样的错误。

虽然您确实使用OAuth提供者进行身份验证(例如，通过用户名和密码，或者SSL客户端证书或其他方式)，但客户端获得的回报不应该被视为身份证明。例如，在一个流中，对另一个用户的资源的访问被委托给您(通过代理，OAuth客户端)。授权并不意味着身份验证。

要处理身份验证，您可能需要研究OpenID Connect，它本质上是OAuth 2.0设置的基础之上的另一层。以下是关于OpenID Connect(在我看来)最突出的一点(来自https://oauth.net/articles/authentication/):)

OpenID Connect is an open standard published in early 2014 that defines an interoperable way to use OAuth 2.0 to perform user authentication. In essence, it is a widely published recipe for chocolate fudge that has been tried and tested by a wide number and variety of experts. Instead of building a different protocol to each potential identity provider, an application can speak one protocol to as many providers as they want to work with. Since it's an open standard, OpenID Connect can be implemented by anyone without restriction or intellectual property concerns. OpenID Connect is built directly on OAuth 2.0 and in most cases is deployed right along with (or on top of) an OAuth infrastructure. OpenID Connect also uses the JSON Object Signing And Encryption (JOSE) suite of specifications for carrying signed and encrypted information around in different places. In fact, an OAuth 2.0 deployment with JOSE capabilities is already a long way to defining a fully compliant OpenID Connect system, and the delta between the two is relatively small. But that delta makes a big difference, and OpenID Connect manages to avoid many of the pitfalls discussed above by adding several key components to the OAuth base: [...]

The document then goes on to describe (among other things) token IDs and a UserInfo endpoint. The former provides a set of claims (who you are, when the token was issued, etc, and possibly a signature to verify the authenticity of the token via a published public key without having to ask the upstream service), and the latter provides a means of e.g. asking for the user's first/last name, email, and similar bits of info, all in a standardized way (as opposed to the ad-hoc extensions to OAuth that people used before OpenID Connect standardized things).

OpenID是关于身份验证的。证明你是谁)，OAuth是关于授权(即。授予对功能/数据等的访问权。而不必处理原始的身份验证)。

OAuth可以在外部合作伙伴站点中使用，允许访问受保护的数据，而无需重新对用户进行身份验证。

博客文章“从用户的角度看OpenID与OAuth”从用户的角度对两者进行了简单的比较，而“OAuth-OpenID:如果你认为它们是同一件事，你就找错了对象”有更多的信息。