On 6/16/2014 9:28 PM, Stephen J. Turnbull wrote:
Were we (on dmarc@ietf) talking all along about OpenID when we wrote "OAuth"? They're different, although I don't know exactly how or why (and neither RFC made obvious mention of the other :-( ).
OAuth calls itself an authorization framework. I like to think of it personally as a less secure and less well-specified variant of Kerberos. :-) OpenID in contrast is more of a third-party authentication provider. It looks like OpenID is repositioning itself to work on top of OAuth 2.0 with OpenID Connect, though.
The problem with OAuth is that a lot of its details are left up to the whims of the implementor, such as the location of its various endpoints or even what elements in the query are mandatory. Figuring out how to go from "email address" to "OAuth bearer token" is currently impossible without hardcoding a lot of mapping details.
-- Joshua Cranmer Thunderbird and DXR developer Source code archæologist