Where did you get that? As far as I know OpenID (Connect) is still widely used.
Search for “openid going away”. Bunch of articles and advice.
It can also be interesting to search for “openid vs oauth2”.
And yes oauth2 is considered to be authorization while openid is specifically for authentication but for the purpose of just logging in, the distinction is not important. You can’t be authorized without being authenticated.
The only thing I find is that StackExchange is dropping support because it’s not useful for them. It doesn’t say anything about the usefulness of the protocol itself.
I did before I posted my previous reply and I found https://www.gluu.org/blog/oauth-vs-openid-whats-the-difference/ where it says:
The great thing about OpenID Connect is that it standardizes the flow for person authentication using OAuth2.
So OpenID Connect is not an alternative to OAuth2, it’s actually a standard on top of OAuth2.
Not quite true, as with OpenID I can force a user to re-authenticate before they are sent back to my server by sending login=prompt with my request (see https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1), so I can be sure the user actually had to enter their credentials at the OpenID provider’s website, making it less likely that it a malicious user that is re-using an already existing session with the OpenID provider.
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.