Web security Oauth or OpenID

There has been a lot of online talk about Oauth and OpenID, what they contribute to website / applications security, how they differ and/or are similar. I would like to show how they can jointly contribute to increased security for a website or application. To put a context on this blog, I refer to a previous blog that I wrote on Building in security to websites and apps, where I discussed a selection of OWASP principles of confidentiality, integrity and availability.

Authentication and Authorisation

Within the scope of OWASP’s availability principle, authorisation and authentication are important and are closely related. Authentication starts the process where a system identifies a user and establishes whether the user is who they say they are. Authentication can take different forms, from a simple password to the use of a person’s fingerprint and beyond!

Authorisation then steps in, where a system determines the level of access an authenticated user should have to a website or application feature(s)/function(s). Some users can only read information, while other users can change information.

OpenID is every much in the authentication area, while Oauth is in the authorisation space.

So what are OpenID and Oauth ?

OpenID is billed as “a safe, faster, and easier way to log in to web sites” by OpenID.net – one username/password to access any number of websites or online services. The premise is a simple one to help today’s online user, who uses a range of online sites / apps and may have difficulty remembering the different passwords.

Your OpenID is available from a variety of providers, some of them you may know of; Google, Yahoo, Orange and WordPress. So if you have an existing logon with any of these providers, then this is your OpenID. Alternatively, you can roll out your own OpenID using your own blog or website url (see this tutorial by Sam Ruby for details). A step by step guide on using your OpenID to login is provided at OpenID.net.

So you’re logged in with your OpenID, now over to Oauth which is a simple and secure way to allow one website or application to access data from another site or application – be it on the desktop or web. The best way to explain how Oauth works is to use an example – lets look at how Twitter uses Oauth.

If you’re browsing an online news site and come across an interesting news item that you want to tweet, the news site will verify you’re logged into twitter. Then you’re asked if you really want to tweet the selected news item. If you agree, then the news information is formatted as a tweet and tweeted from your twitter account.

The important point is that the authentication takes place  without having to share your twitter login details with the online news site. Traditionally, you would have to pass your login details to the news site as part of the authentication process and this would require these details to be stored securely – an extra burden for the website or application. For a more detailed look at the request and information flow involved with Oauth and Twitter, please go to an introduction on Oauth and Twitter.

The future of OpenID and Oauth

There is now a new hybrid protocol that is combining OpenID and Oauth into a single interface – the OpenID OAuth Hybrid Protocol. The reasoning behind the new protocol is simple – websites that accept OpenID are also enabled to share data with other websites that accept OpenID without the need for a separate Oauth authentication step.

For further information and latest updates with both open standards, go to the following websites