OAuth/OpenID - which should I use?

Question

I am developing an Android application which requires users to register and log on to a website and then use that registration information in an Android app. Should I be using oauth or openid or is there something better to make it not a requirement that I develop a single-use authentication system?

Answer 1

OpenID

If you're just looking to authenticate a user in your android app without exchanging data between your application and user data stored & managed by a third party service provider (like google,flickr,facebook,....), then OpenID might be the better option for you.

There is a java based library that should work on the Android platform called openid4java.

OAuth

OAuth, although part of the workflow involves authenticating against an OAuth service provider, is more focussed on the authorization part, as it is to a large degree unaware of the underlying authentication mechanism.

If you want your application to act on the users behalf (to fetch user data stored at a third party that supports oauth), then OAuth is an interesting option. OAuth is not capable of acquiring the identity of the user, it merely acts as an authorization mechanism for an already identified user.

Signpost is a java based library that works on Android.

OpenID Connect

For early adopters, another interesting solution on the horizon is Open ID connect, that combines the best of the 2 worlds.

Take a look at the following posts for more background info.

• What's the difference between OpenID and OAuth?
• http://softwareas.com/oauth-openid-youre-barking-up-the-wrong-tree-if-you-think-theyre-the-same-thing
• http://thenextweb.com/socialmedia/2010/11/04/facebook-connect-oauth-and-openid-the-differences-and-the-future/

And of course the specs :

• http://openid.net/
• http://oauth.net/