[OpenID] Multiple Domains and State

Trey Long trey at propeller.com
Wed Apr 23 15:51:13 UTC 2008 

It's good to know someone has actually experimented with this concept  
a little bit. Forgive my ignorance but I do not understand your  
response completely.

About #1. If openId's are unique why would the authenticating party  
need to specify which one out of two or more? Assuming they were using  
one openId for my properties we could use that openId-provider.com/ 
username as the key to lookup the user on the original domain.

Also, to double check. You are saying that openId supports -- or maybe  
more specifically doesn't prohibit -- chaining authentication to an  
intermediary server?

Lastly, is there anything published online (specs, docs, howtos,  
thoughts or reflections) about what we're trying to do here that you  
know of?

Trey.

On Apr 23, 2008, at 11:19 AM, Nate Klingenstein wrote:

> Trey & Eddy,
>
> We've experimented with this style of authentication chaining(read:  
> proxying) for quite some time, and there are legitimate use cases  
> for it when the intercepting party is adding attributes or doing  
> protocol translation.  OP -> RP -> OP -> RP, essentially.
>
> The implementation's really simple and generally doesn't even  
> require any new code, but there are two real caveats:
>
> 1)  The user interface issues associated with choosing two different  
> identifiers can be challenging for users.  How do they know which OP  
> to use when?  Do they have to go through two identity selection steps?
> 2)  Preserving trusted attributes/identity information from the  
> original OP/IdP through to the end consumer is really difficult when  
> you're dealing with bearer credentials.  There are no real controls  
> on the repackaging of information by the middle box that are easily  
> enforced, so it has to be a trusted service.  If the middle box is  
> only asserting information and identifiers for which it's  
> authoritative, this is moot, but it also makes the use case a lot  
> less interesting.
>
> Take care,
> Nate.
>
> On 23 Apr 2008, at 14:27, Eddy Nigg (StartCom Ltd.) wrote:
>> I guess not, but I think this is entirely possible: auth.com is an  
>> OpenID provider to authenticate to other sites, using itself an  
>> OpenID consumer for authentication :-) Seems to be a quite easy  
>> implementation IMO.
>

More information about the general mailing list