Using OpenID to log into multiple domains: Is this plan feasable?
For example:
- We're running a two community sites on two domains (call them
example.com
andexample.net
). - We want to be able to expand that to more domains later.
- 开发者_C百科We want to allow multiple types of login (OpenID, Facebook, Twitter, standard username/password).
- We want someone who's logged into one site to automatically be logged into the other(s).
In other words, it's a bit similar to the StackExchange network.
In this case, would this plan work?
- Set up
example.com
andexample.net
(and any later additions) as OpenID relying parties, which accept OpenID login fromid.example.org
only. - Set up
example.com
andexample.net
to do an OpenID reply-immediate request the first time you visit them, so that if you're logged intoid.example.org
you're immediately and automatically logged into the site you're visiting. They should set a cookie if you're not logged in, to save them doing this on every page request. - Set up
id.example.org
as an OpenID provider and consumer. It should also consume Facebook and other identity providers, and allow standard username/password access. (Multiple login methods could be attached to one account.) - On logout, simply change the authentication tokens in the database. The user will still have cookies, but they'll be meaningless. Thus can the user be signed out of all sites simultaneously. Multiple authentication tokens can be stored against one user at one time (and should be different for each site), so that the user can sign out in one browser but still be signed in in another. Signing out always signs out for all sites.
The only problem I can see with the above is this:
- Someone visits
example.com
. A "not-logged-in" cookie is set. - Zie then goes onto
example.net
. Ditto. - Zie then signs in, and continues browsing on
example.net
. - Zie then goes back to
example.com
and, because of the "not-logged-in" cookie, is not checked againstid.example.org
and is therefore not logged in. - However, as soon as zie clicks the "log in" button, zie is logged in.
I don't think this is a major problem.
On the whole, I think it's a pretty good system. I'd just like to see it reviewed. Are there any problems I haven't foreseen? Would it be buggy or slow? StackExchange uses a very different method. I assume they have a good reason for that?
Overall, your setup looks fine. Hope you've covered handling session expiry/timeouts.
The only issue (and its more of an inconvenience) I see is the need to click 'Log in' explicitly. Personally, I prefer auto logins (like Google, MS and ton of other major sites).
SO detects if you've a valid login and shows a message asking to refresh the page. While somewhat annoying, it still at least tells me that I'm logged in.
精彩评论