tags:

views:

35

answers:

1

Does an OpenID provider need to create his own database or can he use multiple databases(for example when the user creates an OpenID, the user,pass,email are provided from one of those databases). I wouldn't like to create another database containing the info from the others , I would like to write in them the ids and probably some flags that show me when the user is logged or not. To be clear, I have a webmail application and a music download application. When the user is logged into webmail he should only provide the OpenId to the music download application and then should be logged in. If he's not logged in the mail application he should be redirected to the provider (I am using Community ID 1.2.1 written in PHP) where he should provide the user and password from the mail database.

Another question, related to the first: if a user changes his password in one of those databases after he has created an OpenID the id remains usable, right?

A: 

I've come across this issue several years back when I worked for a company that had several online applications but needed 1 login for 1 person to be able to access all 3 websites.

The solution is to create a "master security database" that holds the information you require for successful login. You'd have a couple of tables within that database where the user's permissions are defined in as well, when the user logs in from either the webmail application or the music download application, the security database is checked for valid credentials and you can persist the login through-out (and across multiple sites) by passing something like a salted MD5 hash so that a user only have to login once, and when forwarded to the next website, automatically get logged in.

You can then extend the "user table" you'll have in the security database with a corresponding user table in the specific website database (who doesn't carry an auto-incremented UserID key, but references the security database' key). So in your music application you can store information like "Playlists" or some other demographic type information only used by your music website, same goes for your webmail site.

Combine this with OpenID and you have a very powerful system to use across all your sites only requiring one login.

AcidRaZor