[OpenID] OpenID through two-component server

Andrew Arnott andrewarnott at gmail.com
Wed Jun 1 21:27:46 UTC 2011 

>From your diagram it looks like the user never interacts with the
backend.  You should probably preserve that.

Ask yourself the question: How would I do this without OpenID?  If you
would accept a password, which server would present the HTML, and
accept the form POST, that asks the user for the password?  If that's
the frontend, then you should do OpenID on your frontend as well.

Whether you use OpenID or username/password, ultimately what that
interacting server should do is assign an auth cookie to the browser,
and then tell the backend (which trusts the frontend) which user it is
impersonating.  So in the case where the frontend is authenticating
the user, switching to OpenID shouldn't impact how the front and back
ends talk to each other at all.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the
death your right to say it." - S. G. Tallentyre



On Wed, Jun 1, 2011 at 1:46 PM, Arthur Goldberg <goldberg at cbio.mskcc.org> wrote:
> Hello
>
> We would like to use OpenID authentication.
> But our system has two servers, not one: a Front-end provides analysis and a
> user interface, and a Back-end stores the data in a database and makes it
> available through a Web API.
>
> Thus, a user interacts with our system like this:
> Browser <-> Front-end <-> Back-end with Web API
>
> It seems that an easy way for us to use OpenID would be for the Back-end to
> act as a Relaying Party and the Front-end to simply forward all OpenID
> protocol requests between the Browser and the Back-end. That is,
> the Front-end will perform 7.1. Initiation (sections from OpenID
> Authentication 2.0), and keep that connection open
> the Front-end will forward the OpenID URL provided by the user to a service
> on the Back-end, and keep that connection open
> the Back-end then runs the OpenID protocol; the Front end acts as a tunnel
> between the Browser and the Back-end; it forwards all responses it receives
> from the Back-end to the Browser, and forwards all responses it receives
> from the Browser to the Back-end (it would be easy to do this with raw
> socket level code; I'm unsure of how to do it inside a servlet)
> When the Front-end receives a Positive Assertion or a Negative Assertion it
> will
>
> Does this make sense?
> Is there a better way to accomplish what I want to do?
> Does an existing implementation in Java exist that I could use?
>
> Thanks
> A
>
> --
> Senior Research Scientist
> Computational Biology
> Memorial Sloan-Kettering Cancer Center
> cBio Cancer Genomics Portal
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>

More information about the general mailing list