I’m writing a Windows 8 Metro app (client-server) and would like to allow my users to login using their existing accounts (Windows Live, Google, Facebook, Yahoo, …).
Currently I’m using OAuth 2.0 on the client to retrieve a code which can be used on the server side to fetch an access token from the provider and to read basic information about the account.
I recently read about OpenID, but it seems, that there are no implementations for desktop applications. Also, Windows Live doesn’t seem to support OpenID.
So my questions are:
- Is it a bad practice to use OAuth to delegate authentication only?
- Should I implement my own OAuth provider in ASP.NET for API access of my client and delegate the authentication task to OpenID-Providers in the OAuth web forms?
OAuth is overkill if you’re only wanting to authenticate a user (after all, you’re asking your customer if you can act on their behalf with the service used to authenticate with); Or, as a more concrete example, if you were delegating authentication to Twitter, you could also read all their contacts and lots of other stuff that you don’t need – that might be enough to put some customers off using your app, and giving it a bad review in the store.
It’s slightly different when the customer already has a relationship with the web service, and understands that your application is a client of it.