Search code examples
openidcross-domainopenid-provider

Using OpenID to log into multiple domains: Is this plan feasable?

For example:

  • We're running a two community sites on two domains (call them example.com and example.net).
  • We want to be able to expand that to more domains later.
  • We want to allow multiple types of login (OpenID, Facebook, Twitter, standard username/password).
  • We want someone who's logged into one site to automatically be logged into the other(s).

In other words, it's a bit similar to the StackExchange network.

In this case, would this plan work?

  • Set up example.com and example.net (and any later additions) as OpenID relying parties, which accept OpenID login from id.example.org only.
  • Set up example.com and example.net to do an OpenID reply-immediate request the first time you visit them, so that if you're logged into id.example.org you're immediately and automatically logged into the site you're visiting. They should set a cookie if you're not logged in, to save them doing this on every page request.
  • Set up id.example.org as an OpenID provider and consumer. It should also consume Facebook and other identity providers, and allow standard username/password access. (Multiple login methods could be attached to one account.)
  • On logout, simply change the authentication tokens in the database. The user will still have cookies, but they'll be meaningless. Thus can the user be signed out of all sites simultaneously. Multiple authentication tokens can be stored against one user at one time (and should be different for each site), so that the user can sign out in one browser but still be signed in in another. Signing out always signs out for all sites.

The only problem I can see with the above is this:

  • Someone visits example.com. A "not-logged-in" cookie is set.
  • Zie then goes onto example.net. Ditto.
  • Zie then signs in, and continues browsing on example.net.
  • Zie then goes back to example.com and, because of the "not-logged-in" cookie, is not checked against id.example.org and is therefore not logged in.
  • However, as soon as zie clicks the "log in" button, zie is logged in.

I don't think this is a major problem.

On the whole, I think it's a pretty good system. I'd just like to see it reviewed. Are there any problems I haven't foreseen? Would it be buggy or slow? StackExchange uses a very different method. I assume they have a good reason for that?

Solution

  • Overall, your setup looks fine. Hope you've covered handling session expiry/timeouts.

    The only issue (and its more of an inconvenience) I see is the need to click 'Log in' explicitly. Personally, I prefer auto logins (like Google, MS and ton of other major sites).

    SO detects if you've a valid login and shows a message asking to refresh the page. While somewhat annoying, it still at least tells me that I'm logged in.