OAuth 2.0 implementation

Stuart Bishop stuart at stuartbishop.net
Tue Mar 27 11:59:25 CEST 2012

On Tue, Mar 27, 2012 at 10:11 AM, Ben Finney <ben+python at benfinney.id.au> wrote:
> Demian Brecht <demianbrecht at gmail.com> writes:
>> I'm getting close to an alpha release of an OAuth 2.0 implementation
>> (https://github.com/demianbrecht/py-sanction).
> Thank you for doing this work.
> As someone who uses OpenID, what can I read about why OAuth is better?

They are different, and often you need to use both.

OpenID allows web sites to authenticate someone. It is not really
useful for anything not an interactive web site. The consuming site
never gets your keys, it just gets confirmation from the provider that
the user is who they claim they are and maybe some details that the
provider chooses to provide such as an email address.

OAuth is for generating authentication keys that allow a program to
authenticate as someone and perform operations on their behalf. You
use OAuth to generate a key so that Foursquare can send messages via
Twitter on your behalf, or so the Facebook client on your phone can
access your account without storing your password. You also get
authentication here, as you can't generate a key without being
authenticated, but the real reason it is used instead of OpenID is so
you can keep the key and keep using it to act as the user; you can
keep using that key until it expires or it is revoked.

Authentication providers that don't provide a webapi just implement
OpenID. Big sites like Google and Facebook implement both OpenID (for
'log in with your GMail account') and OAuth ('post this message to
your Facebook wall').

Stuart Bishop <stuart at stuartbishop.net>

More information about the Python-list mailing list