First, we’ll look at the pros and cons of using a straight OpenID implementation without the second, more extensive, OAuth steps that we will explore momentarily in the hybrid auth pros and cons list.
You can offload the authentication of a user to an OpenID provider such as Yahoo! or Google. Using this method, you can take advantage of the provider’s large membership and security systems to log your users in to your site.
You will not need to store user login credentials in your own database systems; rather, you simply map the OpenID user on the provider site with whatever information your application or site stores about that user.
The straight OpenID approach is more lightweight than the hybrid auth implementation.
OpenID is simply an authentication service for verifying a user account state, not an authorization system like OAuth, which allows an application or service to perform actions on the user’s behalf once authorized. What this means is that a simple OpenID integration will not be able to make signed requests to the provider site to get, set, or delete a user’s social information.
The support for OpenID extensions—such as Simple Registration, Attribute Exchange, and PAPE—is inconsistent from provider to provider. Some providers support all of the most popular extensions, while others support none. In addition, the personal information that you can obtain through such extensions varies among providers. Some providers may return a user’s ...