Single OpenID Across Sub-Domains

4
votes

I'm using OpenID much the same as here on StackOverflow to authenticate my users. What I really need to be able to do though is have that OpenID work across all sub-domains of my site.

The site behaves much the same as Kijiji in that each region has it's own subdomain

  • calgary.example.com
  • toronto.example.com
  • vancouver.example.com
  • etc

When a user logs into "calgary" and later logs into "toronto", they will be forced to "give permission" at the provider, thus resulting in a new OpenID and resulting also in a new login.

My app "can" have multiple OpenID's under one account, but that would become cumbersome to manage.

Is there a way to have the provider link up to the top level domain and subsequently work across all sub-domains?

I'm using DotNetOpenAuth.

The one thought I'm having is to always force the user to login at http://example.com and then use forms authentication domain = ".example.com" to allow navigation to all subdomains.

1
openiddotnetopenauthopenid-provider

1 Answers

5
votes

Yes. Set the Realm property on the ASP.NET control or your IAuthenticationRequest (if you're doing it programmatically) to "https://*.example.com". Note that the scheme can be http or https, but it must match whatever scheme is in your ReturnTo property, which is going to (by default) be the scheme used in the current request.

Note however, that if you have existing users from Google, this one-time change of your Realm will cause Google to generate all-new identifiers for your users, so they will all lose access to their accounts. It's very important therefore to decide on and keep a single Realm for all time, or you'll have to jump through major hoops to be able to tie your users to their accounts later when you change it.

But don't worry about the wildcard itself. When you set https://*.example.com as your realm, all your individual sites that match that pattern will all get the same Google identifier.