1. Field of the Invention
This invention generally relates to authenticating users of network-based services and particular to authenticating users who use services in multiple domains.
2. Description of the Related Art
A web service provider may provide a variety of different services such as search, email, video sharing, and social networking. Typically, a user can authenticate to one of these services, and then have the authentication carry over to other services from the same provider. For example, a user can provide a username and password as part of a login to an email service, and then access a social networking service from the same provider in the same domain without providing additional information.
The web service provider usually enables this single-authentication ability by providing a cookie to the user's web browser in response to a successful authentication. The cookie identifies the user and contains data indicating that the user has successfully authenticated to a service from the provider. The user's browser automatically provides the cookie to the provider's web sites when the user contacts those sites to obtain the services.
The cookie-based technique described above is effective when the services accessed by the user are all within the same second-level Internet domain. For example, if the user authenticates to the mail service available at the domain “mail.google.com,” the cookie received from that service can also be used to automatically authenticate the user to the video sharing service available at “video.google.com.” These two services are both within the same second-level “google.com” domain.
However, the technique is ineffective when the services are located in different second-level domains. Browser security policies generally prevent a service in a first domain from accessing cookies created by a service in a second, different, second-level domain. Thus, the service in the first domain cannot determine whether a given user has already authenticated to a service in the second domain provided by the same provider. As a result, a service provider oftentimes must require an independent authentication for a service located in a different domain than the provider's other services. This separate authentication is inconvenient for the user and also consumes computing resources of the provider.