Facebook OAuth for authentication?

Question

Ok, Having read so many QAs here about OpenId and OAuth (like this, I hope I understand the difference between both. I see people recommending OpenIDs for authentication (proving identity) and OAuth for authorization (say tweet or post something to fb wall,etc).

But my question is- how about using Facebook/Twitter OAuth for authentication to a website? like the way SO itself uses Facebook login as an identity of a user. I'd like to hear what is others opinion about using something meant to authorize to use to authenticate. The reason why one might want to do is the same as using Open Id i.e., to ease the registration process for a new user.

PS: Please correct me if I'm still confusing the use of OpenID/OAuth.

Answer 1

You are not confusing anything as far as I can see. OpenID is indeed a specification for identity authentication, and oAuth is indeed mostly aimed at solving authorization problems.

That having been said. You CAN use oAuth for identity authentication as well. There is nothing to stop you from doing that. I for one will definitely leverage that.

There only drawback of using oAuth for identity authentication is that you may want providers to be strict with what their access tokens allow you to do. What I mean is, when you authenticate a twitter user, you will also be able to do everything else that the Twitter API allows you to do (which is basically everything). Facebook is potentially more restrictive and authenticating applications can be granted only a subset of API functionality.

OpenID does identification, and that's pretty much it, I love it. But I'll gladly use oAuth for the same purpose any day of the week.