[OpenID] Multiple Domains and State

[Trey Long]

I am not sure that I did, which is the reason for my email. One  
provider handling multiple domains isn't the question really, I am  
sure it can.

I want to use auth.com to talk to all of my other domains and maintain  
state when browsing from one top level domain to the next. But my  
openId users come from yahoo.com, aol.com and openId-provider-etc.com.

I can make a home brew solution where auth.com will validate the  
openId users and speak to my own backends similar to what openId does  
itself. Is there a part of openId that already does this?

On Apr 22, 2008, at 10:40 PM, Eddy Nigg (StartCom Ltd.) wrote:

> One provider can handle multiple domain names and the URI doesn't  
> have to be that of the provider (at least for 2.0 specs). You can  
> have multiple ID's at the same provider too...did you really look  
> into all possible options?
>
> Considering you are already logged in at your provider, it will  
> authenticate all your different URI's the same, making your scenario  
> below somewhat superfluous I think....
>
> -- 
> Regards
>
> Signer:
> Eddy Nigg, StartCom Ltd.
> Jabber:
> startcom at startcom.org
> Blog:
> Join the Revolution!
> Phone:
> +1.213.341.0390
>
>
>
> Trey Long:
>>
>> Myself and few colleagues of mine have discussed the multiple domain
>> nature of our organization and how openId handles those requests and
>> how we could optimize the process. What we're looking for is a  
>> central
>> openId proxy that maintains one state for all of our domains.
>>
>> Instead of building a separate service that breaks the rules of  
>> openId
>> I want to discuss the implication of this idea and if it could be
>> built on openId or perhaps openId already supports it (I couldn't  
>> find
>> it in the spec).
>>
>>
>> Example:
>> Let's use these pretend domains for my example.
>> openid.com - OpenId provider
>> openid.com/trey - My openid
>> auth.com - Arbiter of authorization and state / openId relay
>> related-b.com - Content provider and consumer of auth.com
>> related-a.com - Content provider and consumer of auth.com
>>
>> Let's start the hypothetical:
>>
>> I am browsing related-b.com and I come to a point where I need to
>> login. When I initiate the login process I choose openId (or support
>> openId only) and get a redirect to auth.com. I go through the
>> authentication process on auth.com which proxies the information to
>> openid.com. After the openId process is finished auth.com sends me
>> back to my site with the required authorization tokens / nonce which
>> related-b.com uses to open a session for me.
>>
>> Now I move to related-a.com which has the same database of users as
>> related-b.com (though this shouldn't matter). When I click login I am
>> sent to auth.com which has a login state saved for me via cookie
>> session and immediately sends me back to related-a.com with the
>> authorization token. An encrypted 'openid.com/trey' using a domain
>> specific key is sent directly from auth.com to related-a.com and then
>> related-a.com starts a session for my user.
>>
>>
>> This is a somewhat abbreviated concept since it's in an email. We  
>> have
>> thought through any technical difficulties and it's very possible.  
>> The
>> question is does openId support forwarding or delegating
>> authentication through a central server? If not, is this something
>> that could be added to the openId standard? If not, what are the
>> problems with this approach from a technical and security  
>> perspective?
>>
>> Sorry for the length, thank you, Trey.
>>
>