Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using OpenID to log into multiple domains: Is this plan feasable?

Tags:

cross-domain

openid

openid-provider

For example:

  • We're running a two community sites on two domains (call them example.com and example.net).
  • We want to be able to expand that to more domains later.
  • We want to allow multiple types of login (OpenID, Facebook, Twitter, standard username/password).
  • We want someone who's logged into one site to automatically be logged into the other(s).

In other words, it's a bit similar to the StackExchange network.

In this case, would this plan work?

  • Set up example.com and example.net (and any later additions) as OpenID relying parties, which accept OpenID login from id.example.org only.
  • Set up example.com and example.net to do an OpenID reply-immediate request the first time you visit them, so that if you're logged into id.example.org you're immediately and automatically logged into the site you're visiting. They should set a cookie if you're not logged in, to save them doing this on every page request.
  • Set up id.example.org as an OpenID provider and consumer. It should also consume Facebook and other identity providers, and allow standard username/password access. (Multiple login methods could be attached to one account.)
  • On logout, simply change the authentication tokens in the database. The user will still have cookies, but they'll be meaningless. Thus can the user be signed out of all sites simultaneously. Multiple authentication tokens can be stored against one user at one time (and should be different for each site), so that the user can sign out in one browser but still be signed in in another. Signing out always signs out for all sites.

The only problem I can see with the above is this:

  • Someone visits example.com. A "not-logged-in" cookie is set.
  • Zie then goes onto example.net. Ditto.
  • Zie then signs in, and continues browsing on example.net.
  • Zie then goes back to example.com and, because of the "not-logged-in" cookie, is not checked against id.example.org and is therefore not logged in.
  • However, as soon as zie clicks the "log in" button, zie is logged in.

I don't think this is a major problem.

On the whole, I think it's a pretty good system. I'd just like to see it reviewed. Are there any problems I haven't foreseen? Would it be buggy or slow? StackExchange uses a very different method. I assume they have a good reason for that?

like image 341
TRiG Avatar asked Jun 23 '11 14:06

TRiG

People also ask

How secure is OpenID?

With OpenID, your password is only given to your identity provider, and that provider then confirms your identity to the websites you visit. Other than your provider, no website ever sees your password, so you don't need to worry about an unscrupulous or insecure website compromising your identity.

How SSO works with different domain?

About multi-domain support for SSO Users can access back-end applications through multiple domains or through multiple hosts within a single domain, eliminating additional credential requests when they go through those multiple domains.

What is an OpenID Connect authentication system?

OpenID Connect (OIDC) is an open authentication protocol that works on top of the OAuth 2.0 framework. Targeted toward consumers, OIDC allows individuals to use single sign-on (SSO) to access relying party sites using OpenID Providers (OPs), such as an email provider or social network, to authenticate their identities.

1 Answers

Overall, your setup looks fine. Hope you've covered handling session expiry/timeouts.

The only issue (and its more of an inconvenience) I see is the need to click 'Log in' explicitly. Personally, I prefer auto logins (like Google, MS and ton of other major sites).

SO detects if you've a valid login and shows a message asking to refresh the page. While somewhat annoying, it still at least tells me that I'm logged in.

like image 150
Mrchief Avatar answered Oct 31 '22 01:10

Mrchief
Sign in to Comment

Related questions

How do you set up an OpenID provider (server) in Ubuntu?
How do I enable ssl for all controllers in mvc application
PHP OpenID Library that allows facebook / openid / twitter, etc;
Is OpenID a flawed concept?
Performing Google Federated Login/oAuth2 after initial Authentication
Can I use OpenID delegation with a standard Google account? [duplicate]
Best OpenID library for Java [closed]
Azure OpenID Connect via OWIN Middleware resulting in Infinite Redirect Loop
OpenID development and debugging tools
How to use Microsoft Account in an openID site?
Simple Facebook Connect Demo in ASP.NET
Implementing Social Login without third party, using openid-selector
OpenID Connect will eventually replace SAML as the dominant protocol for SSO?
LinkedIn / Twitter / Facebook as OAuth and OpenId use
How to use the correct Google OpenID url to login to my site?
Is OpenID too complicated? [closed]
node.js OpenID provider implementation
OpenID Connect Configuration for Facebook
How do I Integrate OpenID into MVC4 Web API
Obtain id_token with Keycloak

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!