Retrofitting OpenID to Existing Apps BCP?

From IIW

Retrofitting OpenID to Existing Apps BCPs?

Thursday 12G

Convener: Neil Thomson

Notes-taker(s): Adam Hampton

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


This was a good session discussing the challenges and pitfalls encountered on the way to retrofitting a legacy web application that relied on AD+LDAP for AuthN to support SSO

via OpenID.  Neil has slides that accompany this session, to be sent separately.


A BCP here is to use small reference tokens for modeling the session when injecting an OpenID login sequence to the legacy web application.  A big lesson learned was that some

systems (web servers and browsers!) have maximum cookie and token database size limits and these limits are small enough to cause issues with mixing the new OpenID tokens alongside the application's native tokens.  Keep the footprint small and minimally invasive.

 Other lessons learned: minimize introspection calls to where they are strictly needed.  In an example case given, an AJAX heavy web app, putting introspection calls in the security filter stack added unacceptable latency in several use cases post- authentication.  Keep the number of introspection calls (presumably made synchronously during the session authN chain) to a minimum and used sparingly.