For example:
- We're running a two community sites on two domains (call them
example.comandexample.net). - We want to be able to expand that to more domains later.
- We want to allow multiple types of login (OpenID, Facebook, Twitter, standard username/password).
- We want someone who's logged into one site to automatically be logged into the other(s).
In other words, it's a bit similar to the StackExchange network.
In this case, would this plan work?
- Set up
example.comandexample.net(and any later additions) as OpenID relying parties, which accept OpenID login fromid.example.orgonly. - Set up
example.comandexample.netto do an OpenID reply-immediate request the first time you visit them, so that if you're logged intoid.example.orgyou're immediately and automatically logged into the site you're visiting. They should set a cookie if you're not logged in, to save them doing this on every page request. - Set up
id.example.orgas an OpenID provider and consumer. It should also consume Facebook and other identity providers, and allow standard username/password access. (Multiple login methods could be attached to one account.) - On logout, simply change the authentication tokens in the database. The user will still have cookies, but they'll be meaningless. Thus can the user be signed out of all sites simultaneously. Multiple authentication tokens can be stored against one user at one time (and should be different for each site), so that the user can sign out in one browser but still be signed in in another. Signing out always signs out for all sites.
The only problem I can see with the above is this:
- Someone visits
example.com. A "not-logged-in" cookie is set. - Zie then goes onto
example.net. Ditto. - Zie then signs in, and continues browsing on
example.net. - Zie then goes back to
example.comand, because of the "not-logged-in" cookie, is not checked againstid.example.organd is therefore not logged in. - However, as soon as zie clicks the "log in" button, zie is logged in.
I don't think this is a major problem.
On the whole, I think it's a pretty good system. I'd just like to see it reviewed. Are there any problems I haven't foreseen? Would it be buggy or slow? StackExchange uses a very different method. I assume they have a good reason for that?
Overall, your setup looks fine. Hope you've covered handling session expiry/timeouts.
The only issue (and its more of an inconvenience) I see is the need to click 'Log in' explicitly. Personally, I prefer auto logins (like Google, MS and ton of other major sites).
SO detects if you've a valid login and shows a message asking to refresh the page. While somewhat annoying, it still at least tells me that I'm logged in.
来源:https://stackoverflow.com/questions/6455388/using-openid-to-log-into-multiple-domains-is-this-plan-feasable