[OpenID] Multiple Domains and State
SitG Admin
sysadmin at shadowsinthegarden.com
Wed Apr 23 18:11:40 UTC 2008
At 3:19 PM +0000 4/23/08, Nate Klingenstein wrote:
>1) The user interface issues associated with choosing two different
>identifiers can be challenging for users. How do they know which OP
>to use when? Do they have to go through two identity selection steps?
Possibly. Automating the redirection could make it seem as if they
were being phished - and we don't want to teach users that
phishing-like behavior can be okay.
But as for knowing which to use when, it's simple enough - just have
the secondary Consumers know that they only want to accept assertions
from the central Consumer (in its Provider phase), and if anyone else
requests login, they should be told "go here instead, it is off-site
but you will be sent back when you are all done" and shown the link
to that page.
Looking ahead - in case users try to log in to multiple domains
simultaneously, keep track at the central Consumer of which secondary
domain they were trying to log in at *per OpenID authentication
attempt*, so you can redirect them appropriately. (This redirection
wouldn't be in the OpenID specs, because you're sending them back to
the secondary domain they originally tried to log in at, after they
*complete* the login process at the central domain.) Otherwise you
might get a user starting to log in at site A, and then (while
waiting for that window/tab to load) starting to log in at site B,
then returning to site A to enter a password while site B loads, only
to find that they're being returned to site B in the A window.
At 11:51 AM -0400 4/23/08, Trey Long wrote:
>Lastly, is there anything published online (specs, docs, howtos,
>thoughts or reflections) about what we're trying to do here that you
>know of?
It's not exactly what you're trying to do, but may be a good
alternative; the bright folks over at MyOpenID.com realized that
people with their own domains could use DNS to redirect selected host
names to the authentication site. See here for details:
https://www.myopenid.com/product_domains
Maybe you can do the same thing with a Consumer?
-Shade
More information about the general
mailing list