Reputation: 371
OAuth, OpenID or other solutions?
We want to provide a service where the users would have to register in our website. The problem is that our customer (another company, say company A) wants to verify, for security and spam reasons, that each of the users who register are indeed verified users, but they won't let us access their database (where all the users are already registered).
We could do a manual verification (using users physical ID card) but this wouldn't be very effective. That's the reason why we were thinking that maybe we could use something like OAuth or OpenID to make our users sign up / sign in through their account at company A.
Apart from the email/username, we would need to collect some extra information for each user that they don't have it on the database of company A, and be able to use it over time. That is to say, it would be great if we could use company A's database, without having access to it, to verify the identity of our users and allow them to sign up as verified profiles.
What technologies and procedures should we adopt to achieve our goal? We have heard and read about OAuth and OpenID, but we're not quite sure whether that's what we are looking for or which one would fit our problem most. On top of that, we would appreciate if someone could provide us with a guideline for the implementation of the solution, as it's not the typical Facebook/Google Sign in for which there is plenty of information, but we have to use the database of an external company.
Note: we are using PHP and MySQL
Upvotes: 0
Views: 80
Answers (1)
Reputation: 57658
At this point, if you want to deal with authentication/authorization you should look at the OpenID Connect and OAuth 2.0 as they are the most recent and the ones with an increased rate of adoption.
They share a similar history because in both cases they are not backwards compatible with the versions that preceded them, more specifically OAuth 1.0 and OpenID.
However, for this particular scenario you'll be dependent on what Company A supports. You can add support to OAuth2 and OpenID Connect to your application, but if Company A does not support it you're back to square one.
If you can in any way influence what Company A will provide to you then a compatible implementation of OpenID Connect would be your best bet as it would allow your application to use it as a way to verify user identities without having direct access to their user database. After receiving a verified user identity you could then require more information from the user in order to have a more complete profile on your side.
Assuming that Company A did provide an OpenID connect compliant implementation integrating with with would be very similar to integrating with any other provider like Auth0 and Google. I say similar, because as you can check in each link each provider may have their own extensions and supporting libraries that aim to simplify the experience.
Upvotes: 1
Related Questions
- OAuth 2.0 Server for PHP
- OpenId or OAuth
- What is the best and easiest way to grant access to my site (OAuth, OpenID...)
- stackoverflow's implementation of openid for PHP
- Implementing OpenID with PHP
- Is there an easier way to implement openid?
- OpenID What to pick, and why?
- Integrating openID and oauth as website login, signin and authentication system
- Implementing access with oAuth or other
- Integrating openid authenticiation into a php application