3

I'm trying to find if a RP(Relay Party) and OP(OpenID Provider) can be on the same domain. We have a use case to implement internal SSO in the future and have being asked to implement authorize on the same domain for each client.

We have a total of 3 domains and the ask is to implement authorize for each. This means each RP will be it's own OP. Apparently this solves an issue with two of the 3 clients, something to do with sessions.

I think this is a bad approach, but I can't find any doc's or case studies to strengthen my argument.

This seems like a misuse of the spec. My reasons for thinking this are:

  1. I can't find any example online where somebody else has called authorize on the same domain
  2. I can't find any reference in the doc's to say you can or can't
  3. Within the FAQ it says:

It lets app and site developers authenticate users without taking on the responsibility of storing and managing passwords in the face of an Internet that is well-populated with people trying to compromise your users’ accounts for their own gain.

Given we are calling authorize on the same system we still have the responsibility of storing and managing passwords.

Questions

  • Is there any doc's to support or reject this use case of OpenId Connect?
  • Do you know of any examples where it's being done?

Many thanks!

Terry Collins
  • 121
  • 6

1 Answers1

1

It's not the typical use case for OIDC but I don't think it's a terrible idea. There's nothing in the spec that says you can't use OIDC on the same domain.

From what I can tell, Google has implemented their own OIDC-like flow for all of their products and they all run under the google subdomain.

David Ortiz
  • 19
  • 2