[OpenID] Multiple Domains and State

SitG Admin sysadmin at shadowsinthegarden.com
Wed Apr 23 18:11:40 UTC 2008 

At 3:19 PM +0000 4/23/08, Nate Klingenstein wrote:
>1)  The user interface issues associated with choosing two different
>identifiers can be challenging for users.  How do they know which OP
>to use when?  Do they have to go through two identity selection steps?

Possibly. Automating the redirection could make it seem as if they 
were being phished - and we don't want to teach users that 
phishing-like behavior can be okay.

But as for knowing which to use when, it's simple enough - just have 
the secondary Consumers know that they only want to accept assertions 
from the central Consumer (in its Provider phase), and if anyone else 
requests login, they should be told "go here instead, it is off-site 
but you will be sent back when you are all done" and shown the link 
to that page.

Looking ahead - in case users try to log in to multiple domains 
simultaneously, keep track at the central Consumer of which secondary 
domain they were trying to log in at *per OpenID authentication 
attempt*, so you can redirect them appropriately. (This redirection 
wouldn't be in the OpenID specs, because you're sending them back to 
the secondary domain they originally tried to log in at, after they 
*complete* the login process at the central domain.) Otherwise you 
might get a user starting to log in at site A, and then (while 
waiting for that window/tab to load) starting to log in at site B, 
then returning to site A to enter a password while site B loads, only 
to find that they're being returned to site B in the A window.

At 11:51 AM -0400 4/23/08, Trey Long wrote:
>Lastly, is there anything published online (specs, docs, howtos,
>thoughts or reflections) about what we're trying to do here that you
>know of?

It's not exactly what you're trying to do, but may be a good 
alternative; the bright folks over at MyOpenID.com realized that 
people with their own domains could use DNS to redirect selected host 
names to the authentication site. See here for details:
https://www.myopenid.com/product_domains
Maybe you can do the same thing with a Consumer?

-Shade

More information about the general mailing list