My understanding of OpenID is that it provides a way for one site to contain all of your identity and peripheral information, but for other OpenID (and user-friendly) sites to reuse this information to identify and authenticate the user. In essence, this minimizes the amount of login credentials (user names and passwords) that the user has for the Internet.
My understanding of OpenSSO is that it allows you to log into one site and automatically register with all other sites that the first site trusts. In essence, this minimizes the number of times a user logs in to these different sites.
My understanding of OAuth is that it allows users to provide third-party sites with specific access to their information located on one particular site. In fact, like OpenSSO, it minimizes the number of attempts to enter the user to these different sites. The difference with OpenSSO is that OpenSSO registers the user at all participating sites at once (with full privileges enabled), while OAuth provides finer access to these participating sites.
So, firstly, if something that I said is wrong, start with a fix!
Assuming that I am more or less correct, I have the following questions / it is necessary to clarify the following points:
- When will I choose OpenSSO over OAuth - only when I want to restrict access that other participating sites have when a user logs into one of them?
- Are there different security risks for each of these technologies that I will have to consider and integrate into my application, or they are considered safe on their own (basically I can be sure that if my application uses them, that my application does not open for any new attacks)?
Since these technologies are so closely connected that it’s hard for me to see the whole “forest through the trees” here - thanks in advance!
source share