使用OpenID登录多个域：此计划是否可行？ [英] Using OpenID to log into multiple domains: Is this plan feasable?

问题描述

例如：

• 我们正在两个域上运行两个社区网站（称为示例。 com 和 example.net ）。


• 我们希望能够将其扩展到更多域


• 我们希望允许多种类型的登录（OpenID，Facebook，Twitter，标准用户名/密码）。


• 一个网站自动登录到其他网站。

换句话说，它有点类似于StackExchange网络。 / p>

在这种情况下，此计划是否可以运作？

• $ c> example.com 和 example.net （以及任何后来添加的）作为OpenID依赖方，接受OpenID登录从<$ c $ $
c> example.net 在您第一次访问它们时执行OpenID reply-immediate请求，这样，如果您已登录 id.example.org ，您会立即并自动登录到您访问的网站。

• 设置 id.example.org 作为OpenID提供者和消费者。它还应该使用Facebook和其他身份提供者，并允许标准用户名/密码访问。 （多个登录方法可以附加到一个帐户。）


• 在注销时，只需更改数据库中的身份验证令牌。用户仍然会有Cookie，但是他们没有意义。因此，用户可以同时从所有站点签出。一次可以针对一个用户存储多个认证令牌（并且对于每个站点应该是不同的），使得用户可以在一个浏览器中注销但仍然在另一个中登录。

我可以看到的唯一问题是：

• 有人访问 example.com 。已设置未登录Cookie。


• 然后，Zie进入 example.net 。 Ditto。


• Zie随后登录，并继续浏览 example.net 。


• Zie然后回到 example.com ，并且因为未登录的cookie，不检查 id.example.org ，因此未登录。


• 但是，一旦zie点击登录按钮，zie就会登录。

我不认为这是一个大问题。

总的来说，一个相当不错的系统。我只想看看它审查。有没有我没有预见到的问题？会是越野车还是慢？ StackExchange使用了非常不同的方法。我假设他们有一个很好的理由呢？

解决方案

总的来说，你的设置看起来不错。希望你已经涵盖处理会话到期/超时。

我看到的唯一问题（及其更多的不便之处）是需要明确点击登录。就个人而言，我更喜欢自动登录（如Google，MS和其他主要网站）。

SO会检测您是否有有效的登录信息，并显示要求刷新页面的消息。虽然有点恼人，它仍然至少告诉我，我已经登录。

For example:

• We're running a two community sites on two domains (call them example.com and example.net).
• We want to be able to expand that to more domains later.
• We want to allow multiple types of login (OpenID, Facebook, Twitter, standard username/password).
• We want someone who's logged into one site to automatically be logged into the other(s).

In other words, it's a bit similar to the StackExchange network.

In this case, would this plan work?

• Set up example.com and example.net (and any later additions) as OpenID relying parties, which accept OpenID login from id.example.org only.
• Set up example.com and example.net to do an OpenID reply-immediate request the first time you visit them, so that if you're logged into id.example.org you're immediately and automatically logged into the site you're visiting. They should set a cookie if you're not logged in, to save them doing this on every page request.
• Set up id.example.org as an OpenID provider and consumer. It should also consume Facebook and other identity providers, and allow standard username/password access. (Multiple login methods could be attached to one account.)
• On logout, simply change the authentication tokens in the database. The user will still have cookies, but they'll be meaningless. Thus can the user be signed out of all sites simultaneously. Multiple authentication tokens can be stored against one user at one time (and should be different for each site), so that the user can sign out in one browser but still be signed in in another. Signing out always signs out for all sites.

The only problem I can see with the above is this:

• Someone visits example.com. A "not-logged-in" cookie is set.
• Zie then goes onto example.net. Ditto.
• Zie then signs in, and continues browsing on example.net.
• Zie then goes back to example.com and, because of the "not-logged-in" cookie, is not checked against id.example.org and is therefore not logged in.
• However, as soon as zie clicks the "log in" button, zie is logged in.

I don't think this is a major problem.

On the whole, I think it's a pretty good system. I'd just like to see it reviewed. Are there any problems I haven't foreseen? Would it be buggy or slow? StackExchange uses a very different method. I assume they have a good reason for that?

解决方案

Overall, your setup looks fine. Hope you've covered handling session expiry/timeouts.

The only issue (and its more of an inconvenience) I see is the need to click 'Log in' explicitly. Personally, I prefer auto logins (like Google, MS and ton of other major sites).

SO detects if you've a valid login and shows a message asking to refresh the page. While somewhat annoying, it still at least tells me that I'm logged in.

这篇关于使用OpenID登录多个域：此计划是否可行？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！