[OpenID] Multiple Domains and State

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Wed Apr 23 02:40:06 UTC 2008 

One provider can handle multiple domain names and the URI doesn't have 
to be that of the provider (at least for 2.0 specs). You can have 
multiple ID's at the same provider too...did you really look into all 
possible options?

Considering you are already logged in at your provider, it will 
authenticate all your different URI's the same, making your scenario 
below somewhat superfluous I think....

-- 
Regards 
 
Signer:  	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber:  	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog:  	Join the Revolution! <http://blog.startcom.org>
Phone:  	+1.213.341.0390
 



Trey Long:
> Myself and few colleagues of mine have discussed the multiple domain  
> nature of our organization and how openId handles those requests and  
> how we could optimize the process. What we're looking for is a central  
> openId proxy that maintains one state for all of our domains.
>
> Instead of building a separate service that breaks the rules of openId  
> I want to discuss the implication of this idea and if it could be  
> built on openId or perhaps openId already supports it (I couldn't find  
> it in the spec).
>
>
> Example:
> Let's use these pretend domains for my example.
> openid.com - OpenId provider
> openid.com/trey - My openid
> auth.com - Arbiter of authorization and state / openId relay
> related-b.com - Content provider and consumer of auth.com
> related-a.com - Content provider and consumer of auth.com
>
> Let's start the hypothetical:
>
> I am browsing related-b.com and I come to a point where I need to  
> login. When I initiate the login process I choose openId (or support  
> openId only) and get a redirect to auth.com. I go through the  
> authentication process on auth.com which proxies the information to  
> openid.com. After the openId process is finished auth.com sends me  
> back to my site with the required authorization tokens / nonce which  
> related-b.com uses to open a session for me.
>
> Now I move to related-a.com which has the same database of users as  
> related-b.com (though this shouldn't matter). When I click login I am  
> sent to auth.com which has a login state saved for me via cookie  
> session and immediately sends me back to related-a.com with the  
> authorization token. An encrypted 'openid.com/trey' using a domain  
> specific key is sent directly from auth.com to related-a.com and then  
> related-a.com starts a session for my user.
>
>
> This is a somewhat abbreviated concept since it's in an email. We have  
> thought through any technical difficulties and it's very possible. The  
> question is does openId support forwarding or delegating  
> authentication through a central server? If not, is this something  
> that could be added to the openId standard? If not, what are the  
> problems with this approach from a technical and security perspective?
>
> Sorry for the length, thank you, Trey.
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080423/590807b5/attachment-0002.htm>

More information about the general mailing list