- Should I use OAuth or OpenID Connect?
- Why OAuth is bad for authentication?
- What is a risk of using OpenID Connect?
- Is OpenID app harmful?
Should I use OAuth or OpenID Connect?
OpenID is used for authentication while OAuth is used for authorization. If authentication is the main goal, there is no better method than X. 509 digital certificates.
Why OAuth is bad for authentication?
The problem stems from the OAuth 2.0 system not having a serious verification mechanism, thus allowing almost anyone to register an app with a provider. Once registered, the app can use the OAuth 2.0 authentication/authorization mechanism to request consented access to a user's data.
What is a risk of using OpenID Connect?
Phishing. There are two common phishing attacks in the OpenID Ecosystem. Phished OP Page - A rogue RP can redirect the user to a phished OP page where the user will be tricked into entering their OP credentials. Realm Spoofing - A malicious RP can craft an authentication Request with an openid.
Is OpenID app harmful?
With OpenID, your password is only given to your identity provider, and that provider then confirms your identity to the websites you visit. Other than your provider, no website ever sees your password, so you don't need to worry about an unscrupulous or insecure website compromising your identity.