OpenId使用OAuth来处理身份验证。

通过类比，就像。net依赖于Windows API。你可以直接调用Windows API，但是它太宽了，太复杂了，方法参数太大了，你很容易犯错误/bug /安全问题。

OpenId/OAuth也是如此。OpenId依赖于OAuth来管理身份验证，但定义了特定的令牌(Id_token)、数字签名和特定的流。

我目前正在研究OAuth 2.0和OpenID连接规范。以下是我的理解: 之前他们是:

OpenID was proprietary implementation of Google allowing third party applications like for newspaper websites you can login using google and comment on an article and so on other usecases. So essentially, no password sharing to newspaper website. Let me put up a definition here, this approach in enterprise approach is called Federation. In Federation, You have a server where you authenticate and authorize (called IDP, Identity Provider) and generally the keeper of User credentials. the client application where you have business is called SP or Service Provider. If we go back to same newspaper website example then newspaper website is SP here and Google is IDP. In enterprise this problem was earlier solved using SAML. that time XML used to rule the software industry. So from webservices to configuration, everything used to go to XML so we have SAML, a complete Federation protocol OAuth: OAuth saw it's emergence as an standard looking at all these kind of proprietary approaches and so we had OAuth 1.o as standard but addressing only authorization. Not many people noticed but it kind of started picking up. Then we had OAuth 2.0 in 2012. CTOs, Architects really started paying attention as world is moving towards Cloud computing and with computing devices moving towards mobile and other such devices. OAuth kind of looked upon as solving major problem where software customers might give IDP Service to one company and have many services from different vendors like salesforce, SAP, etc. So integration here really looks like federation scenario bit one big problem, using SAML is costly so let's explore OAuth 2.o. Ohh, missed one important point that during this time, Google sensed that OAuth actually doesn't address Authentication, how will IDP give user data to SP (which is actually wonderfully addressed in SAML) and with other loose ends like: a. OAuth 2.o doesn't clearly say, how client registration will happen b. it doesn't mention anything about the interaction between SP (Resource Server) and client application (like Analytics Server providing data is Resource Server and application displaying that data is Client)

从技术上讲，这里已经给出了很好的答案，我想到了给出简要的进化观点

OpenId使用OAuth来处理身份验证。

通过类比，就像。net依赖于Windows API。你可以直接调用Windows API，但是它太宽了，太复杂了，方法参数太大了，你很容易犯错误/bug /安全问题。

OpenId/OAuth也是如此。OpenId依赖于OAuth来管理身份验证，但定义了特定的令牌(Id_token)、数字签名和特定的流。

如果您的用户只是想登录Facebook或Twitter，请使用OAuth。如果您的用户是运行自己的OpenID提供者的用户，请使用OpenID，因为他们“不希望其他人拥有自己的身份”。

OAuth返回访问令牌，用于从资源服务器访问资源，OpenID返回JWT /加密令牌中关于资源的元数据细节

OpenID是关于身份验证的。证明你是谁)，OAuth是关于授权(即。授予对功能/数据等的访问权。而不必处理原始的身份验证)。

OAuth可以在外部合作伙伴站点中使用，允许访问受保护的数据，而无需重新对用户进行身份验证。

博客文章“从用户的角度看OpenID与OAuth”从用户的角度对两者进行了简单的比较，而“OAuth-OpenID:如果你认为它们是同一件事，你就找错了对象”有更多的信息。