Creative Use of OpenID -

-

the situation

i have 3 websites used same one. result, use single database user administration , authentication. unfortunately, distinct websites , have grown include drastically different features.

when 3 sites 1 site, used nifty layout switcher keyed on requested url determine stylesheets use. if logged in domain1.com user domain2.com, server swap url without problem.

as added features 1 site, needed split 3 different systems keep stepping on ourselves. adding feature domain1 break unrelated system on domain3, keeping things separate smarter. kept same user database because it's tied in our licensing , subscription systems.

now, want begin using ssl/tls protect sites ... meaning they're transferred on https rather http.

using http, didn't have many problems bouncing users 1 site version another. log in of 3 sites, server detect site supposed on, , kick on there. since we're using state server session management, didn't lose in transfer, either (same user database, same session id, same session).

using https, lose when kick users 1 site another. @ moment, best can display pop-up , explain "you meant log in domain2.com ... please update bookmarks , log in again" before kicking them right domain. works, it's inelegant solution, frustrates end users, , sloppy.

ideal solution

ideally, users automatically logged in site they're being transferred once there. so:

  • log in domain1.com user account domain2.com
  • get popup explaining mistake , asking update bookmarks
  • be automatically transferred domain2.com , logged in if you'd gone there begin with.

original approach

the first idea had accomplish redirect user , append id of kind url , fetch appropriate parameter when new site. while works , can log people in ... it's insecure. you're creating token anyone use authenticate user , passing on wire intercepted , impersonated.

openid approach

what i'm thinking now, , i'm not sure work (hence question), use variation of openid. both domain1.com , domain2.com on our servers, under our control, , using our ssl certificates. have full access database and, once know session restore, can restore user's session once logging them in after site redirect.

when i've used openid in past, it's taken format:

  1. go site want use , click log in
  2. be redirected login page site b, have account
  3. log in site b , grant permission site use information
  4. be redirected authenticated portion of site a

i want our system replicate steps 3-4 of process. basically:

  1. go domain1.com , log in (you have account)
  2. read message fixing bookmarks , click ok redirected right site.
  3. be redirected authenticated portion of domain2.com

from i've ready openid far, seems possible. , i've been reading on openid , oauth couple of days figure out. every solution, tutorial, , manual can find describes fully-fleshed-out openid server. don't need people use external openids authenticate our system, , don't want become openid provider either. want create solution works following above description.

so, is possible using openid? parts of protocol need flesh out make work?

you don't need openid log user simultaneously multiple domains. can generate "signed redirect" domain1.com domain2.com "assertion" 1 of parameters on url domain2.com

the assertion should contain userid, timestamp, , signature generated using shared secret between domain1 , domain2. in order prevent replay attacks, domain2 should verify timestamp relatively recent (10 minutes). signature should generated hashing assertion shared secret. signature enables domain2 verify domain1 generated assertion, assuming shared secret known between domain1 , domain2.

at high level, mechanism described equivalent generating "unsolicited assertion" in saml world. unsolicited assertions theoretically supported in openid, i've never seen implemented in practice.

if haven't implemented sort of single sign on (sso) technique before, should careful, incorrect implementations can potentially allow attackers login domain2 user.


Comments

Post a Comment

Popular posts from this blog

c# - how to write client side events functions for the combobox items -

-
<dx:aspxcombobox id="aspxcombobox2" runat="server" clientidmode="autoid" selectedindex="-1" onselectedindexchanged="aspxcombobox1_selectedindexchanged1" > <clientsideevents selectedindexchanged="function(s, e) { grid.selectrows();}" /> <items> <dx:listedititem text="selecte rows" /> <dx:listedititem text="unselectall" /> </items> </dx:aspxcombobox> i want write event "unselect all" item in combobox. how can this? you'll need write javascript function iterates thru combo-box , marks selected items false. see select/unselect checkbox fields using pure javascript , html sample code msdn:
Read more

exception - Python, pyPdf OCR error: pyPdf.utils.PdfReadError: EOF marker not found -

-
pypdf throws exception: pypdf.utils.pdfreaderror: eof marker not found i don't need fix pypdf, need eof error cause "except" block execute , skip on file, doesn't work. still causes program stop running. background: batch ocr program pdfs python, pypdf, adobe pdf ocr error: unsupported filter /lzwdecode ... saga continues. i got 10,000 pdfs in folder. ocrd, not. can't tell 'em apart. step 1 figure out ones not ocrd , ocr (see other threads details). so i'm using pypdf. exceptions related unrecognized characters , unsupported filters when try read text. guestimated if throws exception, it's got text in , doens't go in list. problem solved, right? so: pypdf import pdffilewriter, pdffilereader import sys, os, pypdf, re path = 'c:\users\homer\documents\my pdfs' filelist = os.listdir(path) has_text_list = [] does_not_have_text_list = [] pdf_name in filelist: pdf_file
Read more