[OpenID] Multiple Domains and State

Trey Long trey at propeller.com
Wed Apr 23 01:59:27 UTC 2008 

Myself and few colleagues of mine have discussed the multiple domain  
nature of our organization and how openId handles those requests and  
how we could optimize the process. What we're looking for is a central  
openId proxy that maintains one state for all of our domains.

Instead of building a separate service that breaks the rules of openId  
I want to discuss the implication of this idea and if it could be  
built on openId or perhaps openId already supports it (I couldn't find  
it in the spec).


Example:
Let's use these pretend domains for my example.
openid.com - OpenId provider
openid.com/trey - My openid
auth.com - Arbiter of authorization and state / openId relay
related-b.com - Content provider and consumer of auth.com
related-a.com - Content provider and consumer of auth.com

Let's start the hypothetical:

I am browsing related-b.com and I come to a point where I need to  
login. When I initiate the login process I choose openId (or support  
openId only) and get a redirect to auth.com. I go through the  
authentication process on auth.com which proxies the information to  
openid.com. After the openId process is finished auth.com sends me  
back to my site with the required authorization tokens / nonce which  
related-b.com uses to open a session for me.

Now I move to related-a.com which has the same database of users as  
related-b.com (though this shouldn't matter). When I click login I am  
sent to auth.com which has a login state saved for me via cookie  
session and immediately sends me back to related-a.com with the  
authorization token. An encrypted 'openid.com/trey' using a domain  
specific key is sent directly from auth.com to related-a.com and then  
related-a.com starts a session for my user.


This is a somewhat abbreviated concept since it's in an email. We have  
thought through any technical difficulties and it's very possible. The  
question is does openId support forwarding or delegating  
authentication through a central server? If not, is this something  
that could be added to the openId standard? If not, what are the  
problems with this approach from a technical and security perspective?

Sorry for the length, thank you, Trey.

More information about the general mailing list