Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OpenID Connect delegation with Google now that they are deprecating their OpenID2 provider?

For years I have used OpenID delegation to log in to Stack Overflow (among other sites) using my own URI as OpenID but having Google handle the authentication. I use the technique described in this Stack Overflow question; so, my custom OpenID http://tupelo-schneck.org/robert resolves to an HTML page containing this:

<link href="https://www.google.com/accounts/o8/ud" rel="openid2.provider" /> <link href="https://www.google.com/profiles/schneck" rel="openid2.local_id" />   

Now, however, I have logged into Stack Overflow and had Google tell me "Important notice: OpenID2 for Google accounts is going away on April 20, 2015. Learn more." This page explains that Google has deprecated OpenID 2.0 and developers should migrate their apps to OpenID Connect.

Can I continue to use a custom URI for OpenID login, but delegate to Google's OpenID Connect provider for authentication? How?

like image 528
Robert Tupelo-Schneck Avatar asked Jan 14 '15 14:01

Robert Tupelo-Schneck


People also ask

Is OpenID Connect obsolete?

Is OpenID Dead? Yes, OpenID is an obsolete standard that is no longer supported by the OpenID Foundation.

Does Google support OpenID?

Google's OAuth 2.0 APIs can be used for both authentication and authorization. This document describes our OAuth 2.0 implementation for authentication, which conforms to the OpenID Connect specification, and is OpenID Certified.

Is OpenID 2.0 deprecated?

Deprecated. The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2 . Filter which processes OpenID authentication requests.

Does OpenID provide authentication delegation?

What does OpenID provide? Authentication Delegation (Relying Party). OpenID allows authentication to be delegated to a third-party authentication service.


2 Answers

OpenID Connect only supports Discovery that is meant to find your Provider based on some hint you give it (e-mail, account, URL, domain etc.); it won't give you a persistent identifier for which you can delegate authentication to a configurable Provider of your choice.

So if you only want to use a custom URI to find your provider, you can use the approach that Nat gave (except for the last bit that Google does not and can not do and assuming that SO supports Discovery).

But if you want true delegation, so that RPs can use an identifier returned by the OP that is persistent over different OPs that you delegate to, then you can't.

For StackOverflow you probably don't need either one of those: SO uses its own primary identifier/account and you can link several accounts to that, including Google's. Only if SO would have used your custom URI as its primary identifier you would have had a problem. In this case there's no problem and you can:

  1. use the Google login button, or
  2. type your custom URI in the OpenID URL entry box, assuming both you and have implemented Discovery

But both 1. and 2. really yield the same result: they find out that Google is where you want to authenticate.

like image 84
Hans Z. Avatar answered Sep 19 '22 15:09

Hans Z.


Assuming that you want to use your own domain as the user supplied login identifier --

  1. Go to https://stackoverflow.com/users/login-add?returnUrl=%2Fusers%2Fcurrent and Add a login using Google. This will add Google OpenID Connect identifier to your account.
  2. Host OpenID Connect discovery document at your domain (see http://openid.net/specs/openid-connect-discovery-1_0.html#URLSyntax for details.)
  3. Wait till StackOverflow start supporting OpenID Connect discovery
  4. Use http://tupelo-schneck.org/robert as the user identifier

In addition, if StackOverflow supports OpenID Connect Migration 1.0, and assuming that Google returns your custom domain claimed_id in the Migration response, then:

  1. Host the JSON document as described in http://openid.net/specs/openid-connect-migration-1_0.html#VerifyOPAuthority in your domain.

would smooth your way.

like image 27
Nat Sakimura Avatar answered Sep 17 '22 15:09

Nat Sakimura