tags:

views:

156

answers:

3
+2  Q: 

Limited Use OpenID

Hello All, I'm looking to implement OpenID as a provider for a group of partner sites. The thing is this site is for kids (younger than 13) so I have business restrictions that need to be dealt with - mainly the account can't be used on any non-partner sites (we work with every approved partner to ensure they meet industry privacy/security regulations).

In the past we rolled our own membership and partner system but I want to move to an industry-accepted engine to make life easier for ourselves and our partners.

So, is there a built-in way to limit OpenID access to only some sites or would I need to do some deep code changes to the code and permissions to accomplish this?

+1  A: 

I have not implemented OpenId myself, so take this with a grain of salt.

When I log into yahoo for my OpenId, it asks me if I really want them to provide my identity to stackoverflow.com. At this point it should be easy for the provider (e.g. yahoo, you) to look up the target site and see if it is an approved partner and stop the process if they are not.

Olaf  2009-02-18 03:36:20
+2  A: 

It all depends.
This is possible in the OpenID protocol - it is just a question if your library supports it. Look in the documentation and configuration files for a restriction on sites sign in permissions.
If you are just programming it yourself, it is rather easy - when you sign in to OpenID, it redirects to your website to see if you let the user sign in to it. Usually you ask the user, but in your case, you could look on the whitelist to see if it is approved.

Isaac Waller  2009-02-18 04:04:07
+4  A: 

Yes, absolutely. Based on your dotnetopenid tag I take it that's the library you're using, which is great. The IAuthenticationRequest that comes in has a Realm property on it. Use that to check that the Realm value appears on your whitelist of partner sites' realm URLs. If it does, go ahead through the normal authentication steps and set IAuthenticationRequest.IsAuthenticated to true and return. If the Realm is not recognized, then this < 13 year old is trying to use their OpenID to log into a non-partner site, and you can just set IsAuthenticated = false and return which will abort their login.

If you have further questions on your specific scenario feel free to email [email protected]

Andrew Arnott  2009-02-18 04:39:54

related questions

how to get login credentials by openId?
OpenID Migration
PHP Tutorial for OpenId and OAuth
OpenID login workflow?
OpenID support for Ruby on Rails application
Using OpenID for both .NET/Windows and PHP/Linux/Apache web sites
What is the benefit of using ONLY OpenID authentication on a site?
Problems with migrating Cardspace cards between computers
secure way to authenticate administrator in ASP.NET site using OpenID with DotNetOpenID
How do I enable open id on a Java Webapp?
What would it take to make OpenID mainstream?
What's the best .NET library for OpenID and ASP.NET MVC?
Useful browser plugins for openid authentication?
How do I implement an OpenID server in Rails?
How do I implement OpenID in my web application?
Why is HTML form redirection used in OpenID 2?
How do you set up an OpenID provider (server) in Ubuntu?
OpenID as a Single Sign On option??
Should my website abandon username/password authentication in favor of OpenID?
OpenID authentication in ASP.NET?
Open ID - What happens when you decide you don't like your existing provider?
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
How do I use more than one OpenID?