I trying to find the way to implement the full blown SSO using the OpenID so that user does not need to enter anything on the new site within the SSO.
I removed all cookies and started experimenting.
- Logged in on stackoverflow.com
- Looked at Fiddler and seen that stackauth.com is being contacted
- started searching to see what is stackauth.com and ended up stackapps.com
- I was RECOGNIZED and logged in to the stackapps.com !
To repeat, I deleted all cookies at the start. Ca开发者_JAVA百科n someone explain to me SSO that stackoverflow uses because I want to build SSO for sites on different domains? Maybe link if it is already explained somewhere.
Just checked. I gone to SuperUser.com and was initially not logged but after a moment at the top was it was displayed that I am logged in and to refresh that page.
Global Network Auto-Login How does this technically work (if it is not secret :) ) ?
Update
It is mentioned that HTML5 local storage is the key. But, let's say that I don't have a problem with redirecting all of my users to the some central Auth site. What should I store in the cookie of that site? How will I get user information, do I need to write some API? I would like to stay out of writing my API so I don't have to handle all the security problems. I would rather use something existing like OpenID.You may take a look at DotNetOpenAuth. It is what StackOverflow uses to implement the OpenID authentication.
精彩评论