All geek questions in one place

Google Authentication: OAuth2.0 Vs OpenID Connect

I evaluate the options provided by Google to add google login to my web application. Possible options, as I see it,

  • Google+ Signature
  • OAuth 2.0
  • OpenID Connect (OAuth2.0 for login)

I did not go with the 1st as it limits the API calls that I can make in one day to 10000

From 2 and 3 I am inclined to the 3rd. I really don't need API authorization, and I'm not worried about the token expiration in my case. Once I get the user profile from Google, my web application will manage its own user session and does not need to request Google for any other data related to the user. And according to Google documentation, No. 3 allows me to set up a user consent screen, but 1 and 2 do not.

Any comments on my comparison between 2 and 3?

+6
source share
1 answer

In fact, 2. consists of the specific use / extension of OAuth 2.0 for Google to set the user ID on top of the authorization provided by the OAuth 2.0 kernel. Using 2., you will need to make sure that you get the access token in the code stream, and you will need to make a special introspective call to Google to find out who the user is, where the user identification is returned in special cases by Google.

3. On the other hand, 3. is a standardized way for users to log in through a third-party provider, so this is the future safe choice for which you will find more support in the / sdk libraries (well, at least in the near future).

+8
source

Source: https://habr.com/ru/post/980911/

More articles:


All Articles