views:

1118

answers:

3

I am Curious about how cross domain authentication work? for example. To sign into Orkut.com you need to to sign in via Google.com. So the authentication happens at Google.com and it sets the cookie. So my question now is how does Orkut.com able to read this cookie or authenticate the user with no other information ?

What can possibly go wrong?

+2  A: 

This link might be helpful.

http://code.google.com/apis/accounts/docs/AuthForWebApps.html

Keep in mind, Orkut is one of the Google services.

OpenID is another solution which actually used in SO.

jimx
thanks, but I wish to learn about the concept behind these solutions.
gnosio
The very basic concept is that the web app provider and the auth provider will need to establish a certain protocol to build a trust in b/w. In Orkut case, the web app will send unauth'ed request to google auth service and the auth service will issue a token against that specific service (in this case, orkut) and redirect the request back to the app provider. The provider will look for a specific token in the Cookie (usually called GoogleAuth or GoogleLogin) and verify with the known trust secret, when that's done, the request is considered auth'ed.
jimx
A: 

orkut is probably using google's OpenID+oAuth for authenticating users. This means that you probably have a google identitity url stored in your orkut profile, and orkut sends you to google so that you can verify that the users signing in through the browser do indeed own the google identity. If orkut gets verification that you own the identity, then orkut can safely assign you the autentication cookies for orkut.

Sean Kinsey