1

I am designing a web/mobile app that aggregates and customizably presents hobby/lifestyle-related data from 3rd party web services (Stage 1). If the site gains popularity, I plan to offer related sporting gear for sale (Stage 2).

I am relatively new to OpenID/OAuth and plan to use it for Stage 1 in much the same way Stackexchange does as security concerns are comparably low -- the user profile data does not contain any financials and mostly just contain user preferences that can easily be rebuilt. However, I am reluctant about using OpenID/OAuth for Stage 2 considering there will be financial and personal data.

Q1: Are there any examples of sites that successfully and safely implememt OpenID/OAuth while storing users' financial and personal data?

Q2: If the site only uses CC/PayPal data transiently, i.e. the user has to reenter the sensitive info upon each transaction, which is not stored, is the use of OpenID/OAuth more applicable and less risky?

Q3: Is it even possible to get an SSL certificate for this type of authentication/authorization architecture?

BONUS: Even if A1 is yes (or the technology hypothetically evolves into being applicable), do you anticipate that the end users will not trust a site that outsources authentication with their financial data (this is more of a psychological question)?

RELATED:

What reasons are there NOT to use OpenID?

OpenID Over SSL with self signed certificate

Community
  • 1
  • 1
amphibient
  • 29,770
  • 54
  • 146
  • 240
  • Are you looking to add OpenID as an authentication mechanism (similar to how Stack Overflow works) or are you looking to use OAuth to retrieve data from other sites (or allow data from your site to be retrieved)? OpenID and OAuth are used for different things, so be clear which one you are looking for. – Mark S. Mar 18 '13 at 22:13
  • authentication primarily. I was hoping OAuth would allow me to store and manage permissioning levels and ACL with the remote service provider but if that is not possible than most likely just retrieve the FB profile picture – amphibient Mar 18 '13 at 22:43
  • You would need OpenID for authorization, but OAuth to pull data (such as the FB profile picture and any other data) – Mark S. Mar 19 '13 at 21:09

1 Answers1

1
  1. Google has OAuth/OpenID services and also store financial information
  2. For security reasons, you should have additional verification around any sensitive information
  3. SSL only verifies that when someone wants to reach your site, they are actually reaching your site. OpenID and OAuth wouldn't impact the ability toget an SSL Certificate
Mark S.
  • 3,849
  • 4
  • 20
  • 22