How to approach multi-site authentication

Question

We have SaaS product that is branded for each of our clients along with their own domain. We're in the design phase of building an api that would allow third-parties to create widgets or completely different websites for our clients. One of the first and hardest challenges is getting authentication right.

I'm not fully versed in how the Stack Exchange sites handle it but at first glance it seems like a similar scenario. Each site has their own accounts and authentication yet somehow they're linked together. When I log in to stackoverflow.com and then visit serverfault.com it automatically logs me in. Does anyone have any specifics on how they've implemented this?

A couple of things we're considering:

• Do we make each account a "Stack Exchange" level account and then authorize each tenant and each application?
• Do we let each tenant be there own oauth provider and then just have the user authorize each application?
• How could we handle auto-login like stack exchange does?

Again, we're still early in the process and want to get it right out of the gates. Any suggestions and best practices would be appreciated.

Answer 1

Though your question is quite old, it is still without an answer.

Here's information on how StackExchange multi-site authentication works (technical mostly):

• https://meta.stackexchange.com/questions/64260/how-does-sos-new-auto-login-feature-work

And here'is a blog post announcing it:

• https://blog.stackoverflow.com/2010/09/global-network-auto-login/

Wish you find your answers. If you have already resolved your issue, please share your approach with us.