Communication between Relying Parties Google's OpenID Connect

Question

I am creating a third-party service which consolidates a user's web-apps. I was looking at Google's OpenID Connect solution or their Oauth solution as a SSO to a user's web-apps.

I have some criteria which I'm not sure it can handle.

• My service needs to be able to see which Relying Parties a person has used the SSO.
• My service needs to be able to send a flag to the Relying Parties to communicate the state of a user who can't do so themselves.

• The flag is sent, ideally, automatically to all of the relying parties that a user has used the SSO.

• The Relying Parties need to get more information attached to each user rather than just login credentials.

It seems like I will need to implement the Identity Provider myself, but I am hoping to avoid that as this is just a proof of concept prototype. Thanks!

Answer 1

Are these replying parties in your control? If not, how would you ensure that they are willing to accept your identity provider? If they are under your control then they could send information to the service you are building.

From the question it sounds like you want to allow a user to track all the random services/sites s/he is using. I think this couldn't be done with your own IDP or with the solution proposed by Hans.

Answer 2

Yes, you'll need to be the OpenID Connect provider (OP) for tracking the Relying Parties (RPs) that a user has logged in to, to communicate state to RPs and to provide extended user identity information to RPs. Those Relying Parties need to allow their users to configure your OpenID Connect provider for login. What you may do is to "outsource" the actual authentication to Google again by providing some sort of bridging between the RPs and Google's OP but that would require you to implement both the OP part (to the RPs) as well as the RP part (to Google's OP).