OpenID and oAuth are two technologies that solve big problems on the web (and create some new ones), that have considerable momentum behind them. Problem is, a lot of people don’t understand the two, or don’t understand the difference between the two.
Malcolm Tredinnick, Django developer extraordinaire, drops knowledge about the confusion some people have between OpenID and oAuth. Truth be told, I probably had many of the same confusions and misconceptions before I educated myself this weekend at SXSW by attending a few panels on the subject. The key difference is between authorization and authentication.
That and the fact that oAuth is somewhat of a poor name, considering most people automatically assume that the auth in question is authentication, when in fact it is authorization, or giving an application permission to access, manipulate, or remove your content. Malcom explains (emphasis mine):
Lazy message writers, in email, on blogs, even in the printed media, will throw around the abbreviation auth as though it’s well-defined and clearly understood. They’ll talk about “the auth system” or use it as a verb (little realising that when I rule the world, there’s going to be a severe accounting for that bad habit) “you’ve been auth-ed”.
The problem is here that “auth” is an abbreviation for both authorisation and authentication and they are different aspects of identity management. Unless the context is very clear, it is often confusing as to which use is intended.
Defying Classification: Explanation: The Difference Between OpenID and OAuth
Posted by Clint Ecker 