私は、ユーザーの Google フィードを利用し、それらに関する情報をデータベースに保存する Web ベースのプロジェクトに取り組んでいます。ユーザーにアカウントを作成してもらうのではなく、Google 資格情報を使用してサインインしてもらいます。OAuth が必要になることは明らかですが、OpenID の部分が気になります。OAuth 経由でアクセスして、セッション全体でデータを追跡できる、ユーザーに関する一意に識別可能な情報はありますか? もしそうなら、OpenID を使用する利点は何ですか?
2 に答える
OpenID and OAuth are (in theory if not in practice) used for two separate functions:
OpenID is means of managing identity and minimizing account creation. Example: I want to use my Google account to log in wherever I go.
OAuth is a means of sharing information about a user in a controlled yet open/interoperable fashion. Example: I want to allow Twitter to access my Google contacts without having to give Twitter my Google username and password.
What that means is that for login situations you want OpenID. If you need access to a user's data, you want OAuth. Some services, such as Twitter, have chosen to do login via OAuth, but that's a misuse of the protocol more than anything.
What's really cool these days, however, is that some providers are starting to do hybrid OpenID + OAuth so that the account login and information sharing authorization can be done in a single step instead of multiple steps. Google is one of the leaders in this arena. You can take a look at this Google blog post for a good overview of what they've been creating.
Hopefully that helps and gives you a better idea of what you're looking for.
My general advice would be that providing users with the option is a good thing. I login to this site with OpenID. It's quick and simple, so I have a better user experience this way.