Difference between OpenId and OAuth

OAuth and OpenID are both protocols used in web authentication and authorization, but they serve different purposes. OAuth is designed for authorization (granting access to resources without sharing passwords), while OpenID is designed for authentication (verifying who a user is).

OAuth

OAuth (Open Authorization) is an HTTP-based protocol that allows a third-party application to access a user's resources without the user sharing their password. Instead, OAuth provides an access token that the application uses to interact with APIs on behalf of the user. For example, when a mobile app asks to access your Google Drive files, it uses OAuth.

OpenID

OpenID is a protocol designed for authentication − it allows a third-party identity provider to verify who the user is, using accounts they already have. It enables single sign-on (SSO), so users can log into multiple websites using one set of credentials (like "Sign in with Google"). OpenID initiates a user session upon successful authentication.

Key Differences

Conclusion

OAuth handles authorization (what a user allows an app to do), while OpenID handles authentication (who the user is). Modern implementations like OpenID Connect combine both protocols, building an authentication layer on top of OAuth 2.0 to provide both identity verification and resource access in a single flow.