Changed domain error - OpenId auth request contains an unregistered domain

Question

I set up a project on my main domain example.com and then moved it to a subdomain sub.example.com

Now when I try to use the same (default ASP.NET MVC or on my Discourse forum) project with OpenId and click on the Google button to log in with my Google account it throws the following error -

1. That’s an error.

   OpenID auth request contains an unregistered domain: http://sub.example.com

I have tried Googling that message but apparently I am one of the first four people to see it. Any ideas here?

Answer 1

I would like to add some context to this thread together with a potential solution to developers that are currently blocked.

Back in February we announced the deprecation of OpenID 2.0 (OID2) scheduled for April 2015. We also announced that new OID2 relying parties (RPs) registrations^† will no longer be accepted after April 2014.

Given that the API will be shut-down in less than a year’s time, our intention is to avoid having new RPs integrating with Google's OID2 API. Instead, we suggest to use our OpenID Connect API which we consider more secure and easier to implement.

Registrations were effectively closed on May 19th (as documented in the Google’s OID2 developer documentation). All RPs already using OID2 should not be affected by this the closure.

As for developers currently working on an integration with our OID2 API (presumably because they missed the announcement and warnings in our OID2 documentation), we will do our best to minimize the friction caused by the registration closure. If you are in such situation, please let us know by posting a registration request before June 15th. The post should contain a sample OID2 request used by your application, in case you prefer not to disclose such information, please post an email address and we will reach out. We plan to look into each case and try to get you unblocked in the best possible way.

---

^† OID2 does not have a registration procedure for RPs integrating with an identity provider. RPs are associated to the realm value (e.g., www.example.com) used when contacting Google OID2 API. Thus, a RP is considered "registered" if its realm value has been used to contact our OID2 API.

Answer 2

According to this page, Google closed registration to new OpenID 2.0 clients in May 2014 and will be shutting down the OpenID 2.0 service in April 2015.

The reason why some hosts work and some don't is that although Google isn't adding new hosts, you can still use the ones that are already registered.

UPDATE : Some people have asked for a simple explanation for how to fix this, or otherwise how to proceed.

Basically, you now have 2 options.

Use OAuth 2.0 (instead of openID protocols and older versions of OAuth)

or

Use Google+ login (which Google tried to "push" you towards)

For more details check the migration guide :

https://developers.google.com/+/api/auth-migration#userinfo