Working on a web app, we want to expand pass all this login/password mumbo-jumbo. We have facebook integration and are wondering if we should look at Oauth, Openid, both, or neither?
I would look into OpenID and Twitter integration (http://apiwiki.twitter.com/Sign-in-with-Twitter). But instead of providing just a text field when accepting OpenID, provide quick links to login with the major, more-general web app providers (Yahoo, Google). You don't even need to tell your users that you're using OpenID for authentication... just that they could login using their existing account with another major web service.
You may want to look into RPX (http://rpxnow.com) - it's a commercial provider that does something similar to what I described above. I'm not a huge fan of them being a hosted service, but they do make it really straight-forward to login.
They do different things (federated login vs. access authorization) so focus on which you need most. Note that they are being combined, so hopefully the choice won't be necessary for too long:
If you run a site geared towards novice computer users, my advice is DON'T. OpenID is still far too janky of a user experience, you're totally beholden to the providers, which are all different, and the "IE6" crowd just does not get it.
I would say that it depends on the audience. I have to agree with xpaulbettsx, for some users it might be a problem to get the concept. However, I like OpenID idea a lot and plan to use it in my project.I just hate having 73 different user accounts on 57 different sites (I forget passwords and not all sites have nice tools to reset it).
Yeah, as the other posters have said, they're different things.
OpenID allows users to log into _YOUR_ site with a single login that they can use for other sites that support it. An alternative is your regular user/pass login (which you'll have to implement anyway for users without openid).
OAuth allows you to get data from your users accounts on other websites (twitter, yahoo, gmail etc) in a secure, supported way. An insecure and brittle alternative would be to ask your user to give you their login details for a different site on your site and then screen scrape their account.
10 comments
[ 5.7 ms ] story [ 38.3 ms ] threadYou may want to look into RPX (http://rpxnow.com) - it's a commercial provider that does something similar to what I described above. I'm not a huge fan of them being a hosted service, but they do make it really straight-forward to login.
Facebook Apps use OpenID.
http://step2.googlecode.com/svn/spec/openid_oauth_extension/...
OAuth is for giving your application the ability to access someone elses, without users of your application having to supply their credentials to you.
OpenID allows for users of your application to use their credentials for another service authenticate with yours.
OpenID allows users to log into _YOUR_ site with a single login that they can use for other sites that support it. An alternative is your regular user/pass login (which you'll have to implement anyway for users without openid).
OAuth allows you to get data from your users accounts on other websites (twitter, yahoo, gmail etc) in a secure, supported way. An insecure and brittle alternative would be to ask your user to give you their login details for a different site on your site and then screen scrape their account.