Identity-based domain registration logic
Domain registration logic
The reference implementation applies the following logic for identity-based domain registration:
- Determine the domain name to assign to a designated user.The domain name ( namequalifier:username ) is extracted from the authentication token. If a token is not available, error is thrown.
- Look up the domain name in the DomainServerInfo table.If no entry is found, insert an entry. The default values are:
- authentication required
- max domain membership=5
- To verify that the device has been registered with the domain:
- Look up the domainname in the UserDomainMembership table:
- For each machine ID that is located, compare the ID with the machine ID in the request.
- If this is a new machine, add an entry to the UserDomainMembership table.
- Search for the matching records in UserDomainRefCount table.
- If an entry does not exist for this machine GUID, add a record.
- If it is a new device, and the Max Membership value has been reached, return error .
- Look up all the domain keys for this domain in the DomainKeys table:
- If DomainServerInfo indicates that the keys need to be rolled over, generate a new key pair,
- Save the pair in the DomainKeys table, with a key version that is one higher than the highest existing key.
- Reset the Key Rollover Required flag in DomainServerInfo .
- For each domain key, generate a domain credential.
Domain de-registration logic
The reference implementation applies the following logic for identity-based domain de-registration:
- Determine the domain name to assign to this user.The domain name is namequalifier:username , which is extracted from the authentication token. If no token is available, return error DOM_AUTHENTICATION_REQUIRED (503) occurs.
- Look up the requested domain name in the DomainServerInfo table.
- Look up the domain name in the UserDomainMembership table.
- Compare each machine ID that you find with the machine ID in the request.
- Locate the corresponding entry in the UserDomainRefCount table.If a matching entry is not located, return error .
- If this is not a preview request, delete the entry from the UserDomainRefCount table.
- If there are no additional entries in that table for the machine, delete the entry from UserDomainMembership and set the Key Rollover Required flag in the DomainServerInfo property.
Each user can register a small number of machines, so you can use the full machine ID and the matches() method to count machines. Because a user can register multiple times, through multiple AIR applications or Players in different browsers, the server needs to maintain a reference count so that de-registration can also be counted.
De-registration is not complete until all of the domain tokens on the machine are surrendered.