[OpenID] Platform-ing the web with Federated hubs and syndicatedapps

Peter Williams pwilliams at rapattoni.com
Sun Jul 22 19:56:10 UTC 2007


________________________________

From: general-bounces at openid.net on behalf of S. Sriram
Sent: Sun 7/22/2007 11:58 AM
To: general at openid.net
Subject: [OpenID] Platform-ing the web with Federated hubs and syndicatedapps


Hi,
 
it seems to me that there could be a fairly easy way to
'Platform the web with Federated hubs and syndicated apps',
using Open-Id like principles. I'd appreciate any thoughts,
issues etc. on this.
 
------
 
Spoke likely has hundreds of hubs that syndicate its app. So, if a
user were to land up at spoke.com how can they access their 
hub.com/user_id account 
- one could use an OpenId like dance without the server discovery bit
 
Thanks
S. Sriram
 
-----------------------------------
 
I believe you are basically describing -- in the edited version of your post, above -- IDP/OP-initiated webSSO. By definition, this can mean the spoke avoiding the requirement to complete IDP/OP discovery.
 
In spec terms, this is a local implementation matter in OpenID, in my view. But, some security amendments would obviously needed to do it in an interoperable manner, learning from other idp-initiated WebSSO protocol designs.
 
User logs onto IDP Hub (e.g. msn.com) using Passport/cardspace say. They click a syndicated spoke link, for which this IDP has a previous OpenID association established with that (syndicated merchant site) spoke. The resulting link redirect to the syndicated site is accompanied by hmac-signed attibutes: "hub OP URL" and "OpenID associated with the Passport user". (*) On landing at the spoke's assertion consumer endpoint, OpenID Auth protocol run then occurs, as today, now with some confidence about the validity of the OP's endpoint address.

I am wondering, incidentally, about adopting this model for a first OpenID deployement, tho its a little inappropriate given the wider the mission of the group. IDP-initiated webSSO is a much easier first step to get going in practice, requiring much less of an infrastructure refit. Obivously, it much less distributed or user-centric. But, if OpenIDs are going to be "issued" by all-powerful IDPs using enterprise management models over users, there is really no reason to avoid IDP-initated WebSSO.

(*) home_pw at msn.com becomes "home_pw.msn.openid.live.com", much like AOL does for AOL screennames. Yes! being a (happy) MSN user for 10 years, means I'm braindead  - in the eyes of many others.

 

 




More information about the general mailing list