[OpenID] Multiple Domains and State

[Nate Klingenstein]

Trey & Eddy,

We've experimented with this style of authentication chaining(read:  
proxying) for quite some time, and there are legitimate use cases for  
it when the intercepting party is adding attributes or doing protocol  
translation.  OP -> RP -> OP -> RP, essentially.

The implementation's really simple and generally doesn't even require  
any new code, but there are two real caveats:

1)  The user interface issues associated with choosing two different  
identifiers can be challenging for users.  How do they know which OP  
to use when?  Do they have to go through two identity selection steps?
2)  Preserving trusted attributes/identity information from the  
original OP/IdP through to the end consumer is really difficult when  
you're dealing with bearer credentials.  There are no real controls  
on the repackaging of information by the middle box that are easily  
enforced, so it has to be a trusted service.  If the middle box is  
only asserting information and identifiers for which it's  
authoritative, this is moot, but it also makes the use case a lot  
less interesting.

Take care,
Nate.

On 23 Apr 2008, at 14:27, Eddy Nigg (StartCom Ltd.) wrote:

> I guess not, but I think this is entirely possible: auth.com is an  
> OpenID provider to authenticate to other sites, using itself an  
> OpenID consumer for authentication :-) Seems to be a quite easy  
> implementation IMO.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080423/6ba9a354/attachment-0001.htm>