There has been a lot of online talk about Oauth and OpenID, what they contribute to website / applications security, how they differ and/or are similar. I would like to show how they can jointly contribute to increased security for a website or application. To put a context on this blog, I refer to a previous blog that I wrote on Building in security to websites and apps, where I discussed a selection of OWASP principles of confidentiality, integrity and availability.
Within the scope of OWASP’s availability principle, authorisation and authentication are important and are closely related. OpenID is every much in the authentication area, while Oauth is in the authorisation space.