The reference implementation applies the following logic for anonymous domain registration:
Parse the domain name from the request URL.
Look up the domain name in the DomainServerInfo
table.
If you cannot locate an entry, insert an entry in the table.
The default values are:
authentication is not required
no membership maximum
If authentication is required for the requested domain, ensure that a valid authentication token is in the request. If the Auth Namespace is specified in the database, the token must match the specified Auth Namespace.
If authentication is required, but a valid auth token is not available, return error DOM_AUTHENTICATION_REQUIRED (503)
.
Check whether the device is registered with the domain:
DomainMembership
table.DomainMembership
table.Max Membership
value has been reached, return error DOM_LIMIT_REACHED (502)
.Look up all the domain keys for this domain in the DomainKeys
table:
If DomainServerInfo
indicates that the keys need to be rolled over, generate a new key pair.
Save the keypair in the DomainKeys
table, with a key version that is one number higher than the highest existing key.
Reset the Key Rollover Required
flag in DomainServerInfo
.
For each domain key, generate a domain credential.
The reference implementation applies the following logic for anonymous domain de-registration:
Parse the domain name from the request URL.
Look up the requested domain name in the DomainServerInfo
table.
If authentication is required for the requested domain, ensure a valid authentication token is in the request.
The token must also match the Auth Namespace that is specified in the database.
Look up the domain name and machine GUID in the DomainMembership
table.
If you cannot locate a matching entry, return error DEREG_DENIED (401)
.
If this is not a preview request, delete the entry from DomainMembership
, and in DomainServerInfo
, set the Key Rollover Required
flag.
Because a large number of machines may join the domain, you cannot simply match the machine ID. Instead, the random machine GUID that is assigned to the machine during individualization is applied.