Search code examples
ruby-on-railsoauthomniauth

difference between OAuth2 and Omniauth


I've read a lot about Omniauth and OAuth2, and how Omniauth uses OAuth, but I don't really understand what is the aim for each one.

For example, I know that with Omniauth I can get back sent params with

@auth['omniauth.params']

but if I'm using OAuth, without Omniauth, can I do the same?

My real problem is that I don't understand the difference between them, where Omniauth ends and OAuth starts, and what can I do with Omniauth that is not possible with OAuth.


Solution

  • In this answer, I'm assuming you're using Rails (or some other Rack-based framework), because Omniauth doesn't make much sense without that.

    Start with OAuth2. OAuth is a system for authorizing a user on one site using their authentication on another site. OAuth itself describes the system by which this is managed, but it does not specify the code the sites use to carry it out. (This means, for example, a PHP-based site could use a Ruby-based site as a provider, and not need to know what's happening behind the scenes at the provider.)

    This is where Omniauth comes in. Omniauth is a package for supporting decentralized authentication in Rack-based sites. OAuth2 is one of the protocols it supports for handling this, and it incorporates a class named OAuth2 which is a Ruby implementation of the OAuth2 specification. You can think of Omniauth as a wrapper around OAuth2 which handles the details of the protocol without bothering you too much with them.

    You could use the OAuth2 gem/class without using Omniauth, and deal with the specifics of authenticating over OAuth2 yourself, but I'm not sure why.

    As far as what you can do with Omniauth that isn't possible with OAuth, most of it is authenticating with other non-OAuth services (Omniauth allows the use of community-built "strategies" for authenticating to e.g. Stack Exchange).