Menu
I'm trying to integrate the Google Federated Login with a premier apps account, but I'm having some problems.
When I send the request to: https://www.google.com/accounts/o8/ud with all the parameters (see below), I get back both a request_token and list of attributes asked for by Attribute Exchange. This is perfect, as we need the email via attribute exhange (AX) to store the user in our application database, and we need the request token for future API requests to scopes (ie: calendar, contacts, etc).
However, using that URL (herein referred to as the endpoint) doesn't keep the user signed in to their hosted apps (gmail, calendar, et al), which is a problem.
Changing the endpoint to https://www.google.com/a/thedomain.com/o8/ud?be=o8 changes everything. I am automagically signed in to other google apps (gmail etc). However, using that endpoint, I only get the request token or the attributes via AX. Obviously thats not particularly Hybrid. Its very much one or the other.
Example request to the endpoint https://www.google.com/accounts/o8/ud
parameters = {
'openid.ns': 'http://specs.openid.net/auth/2.0',
'openid.claimed_id': 'http://specs.openid.net/auth/2.0/identifier_select',
'openid.identity': 'http://specs.openid.net/auth/2.0/identifier_select',
'openid.return_to':'http://our.domain.com/accounts/callback/',
'openid.realm': 'http://our.domain.com/',
'openid.assoc_handle': assoc_handle,
'openid.mode': 'checkid_setup',
'openid.ns.ext2': 'http://specs.openid.net/extensions/oauth/1.0',
'openid.ext2.consumer': 'our.domain.com',
'openid.ext2.scope': 'https://mail.google.com/mail/feed/atom',
'openid.ns.ax':'http://openid.net/srv/ax/1.0',
'openid.ax.mode':'fetch_request',
'openid.ax.required':'firstname,lastname,email',
'openid.ax.type.firstname':'http://axschema.org/namePerson/first',
'openid.ax.type.lastname':'http://axschema.org/namePerson/last',
'openid.ax.type.email':'http://axschema.org/contact/email',
}
return HttpResponseRedirect(end_point + '?' + urllib.urlencode(parameters))
(assoc_handle is previously set successfully by the openid initial request)
I've been struggling for days trying to get this Hybird approach working, fighting the most opaque error messages (This page is invalid ... thanks Google) and lack of consistent documentation. I've trawled every code sample I can to get to this point. Any help would be appreciated ...
741
The OpenID Connect flow looks the same as OAuth. The only differences are, in the initial request, a specific scope of openid is used, and in the final exchange the Client receives both an Access Token and an ID Token. As with the OAuth flow, the OpenID Connect Access Token is a value the Client doesn't understand.
OpenID vs. OAuth. Simply put, OpenID is used for authentication while OAuth is used for authorization. OpenID was created for federated authentication, meaning that it lets a third-party application authenticate users for you using accounts that you already have.
The Differences Between Standards The main differentiator between these three players is that OAuth 2.0 is a framework that controls authorization to a protected resource such as an application or a set of files, while OpenID Connect and SAML are both industry standards for federated authentication.
The OpenID Connect Discovery endpoint provides a client with configuration details about the OpenID Connect Authorization Server. The client makes an HTTP GET call to the discovery endpoint: /. well-known/openid-configuration. A discovery document is returned containing the OpenID Connect implementation details.
For the record, posterity, and anyone else who might come asunder of this, I'll document the (ridiculous) answer.
Ultimately, the problem was calling:
return HttpResponseRedirect(
'https://www.google.com/a/thedomain.com/o8/ud?be=o8'
+ '?'
+ urllib.urlencode(parameters)
)
Can you spot it? Yeah, it was the explicit inclusion of the question mark that caused the problem. Two query strings never exist at once.
131
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With