The reference implementation applies the following logic for identity-based domain registration:
Determine the domain name to assign to a designated user.
The domain name ( namequalifier:username
) is extracted from the authentication token. If a token is not available, error is thrown.
Look up the domain name in the DomainServerInfo
table.
If no entry is found, insert an entry. The default values are:
authentication required
max domain membership=5
.
To verify that the device has been registered with the domain:
Look up the domainname
in the UserDomainMembership
table:
UserDomainMembership
table.UserDomainRefCount
table.If it is a new device, and the Max Membership
value has been reached, return error .
Look up all the domain keys for this domain in the DomainKeys
table:
If DomainServerInfo
indicates that the keys need to be rolled over, generate a new key pair,
Save the pair in the DomainKeys
table, with a key version that is one higher than the highest existing key.
Reset the Key Rollover Required
flag in DomainServerInfo
.
For each domain key, generate a domain credential.
The reference implementation applies the following logic for identity-based domain de-registration:
Determine the domain name to assign to this user.
The domain name is namequalifier:username
, which is extracted from the authentication token. If no token is available, return error DOM_AUTHENTICATION_REQUIRED (503)
occurs.
Look up the requested domain name in the DomainServerInfo
table.
Look up the domain name in the UserDomainMembership
table.
Compare each machine ID that you find with the machine ID in the request.
Locate the corresponding entry in the UserDomainRefCount
table.
If a matching entry is not located, return error .
If this is not a preview request, delete the entry from the UserDomainRefCount
table.
If there are no additional entries in that table for the machine, delete the entry from UserDomainMembership
and set the Key Rollover Required flag in the DomainServerInfo
property.
Each user can register a small number of machines, so you can use the full machine ID and the matches()
method to count machines. Because a user can register multiple times, through multiple AIR applications or Players in different browsers, the server needs to maintain a reference count so that de-registration can also be counted.
De-registration is not complete until all of the domain tokens on the machine are surrendered.