OpenID Connect delegation with Google now that they are deprecating their OpenID2 provider?

Question

For years I have used OpenID delegation to log in to Stack Overflow (among other sites) using my own URI as OpenID but having Google handle the authentication. I use the technique described in this Stack Overflow question; so, my custom OpenID http://tupelo-schneck.org/robert resolves to an HTML page containing this:

<link href="https://www.google.com/accounts/o8/ud" rel="openid2.provider" /> <link href="https://www.google.com/profiles/schneck" rel="openid2.local_id" />   

Now, however, I have logged into Stack Overflow and had Google tell me "Important notice: OpenID2 for Google accounts is going away on April 20, 2015. Learn more." This page explains that Google has deprecated OpenID 2.0 and developers should migrate their apps to OpenID Connect.

Can I continue to use a custom URI for OpenID login, but delegate to Google's OpenID Connect provider for authentication? How?

Answer 1

OpenID Connect only supports Discovery that is meant to find your Provider based on some hint you give it (e-mail, account, URL, domain etc.); it won't give you a persistent identifier for which you can delegate authentication to a configurable Provider of your choice.

So if you only want to use a custom URI to find your provider, you can use the approach that Nat gave (except for the last bit that Google does not and can not do and assuming that SO supports Discovery).

But if you want true delegation, so that RPs can use an identifier returned by the OP that is persistent over different OPs that you delegate to, then you can't.

For StackOverflow you probably don't need either one of those: SO uses its own primary identifier/account and you can link several accounts to that, including Google's. Only if SO would have used your custom URI as its primary identifier you would have had a problem. In this case there's no problem and you can:

1. use the Google login button, or
2. type your custom URI in the OpenID URL entry box, assuming both you and have implemented Discovery

But both 1. and 2. really yield the same result: they find out that Google is where you want to authenticate.

Answer 2

Assuming that you want to use your own domain as the user supplied login identifier --

1. Go to https://stackoverflow.com/users/login-add?returnUrl=%2Fusers%2Fcurrent and Add a login using Google. This will add Google OpenID Connect identifier to your account.
2. Host OpenID Connect discovery document at your domain (see http://openid.net/specs/openid-connect-discovery-1_0.html#URLSyntax for details.)
3. Wait till StackOverflow start supporting OpenID Connect discovery
4. Use http://tupelo-schneck.org/robert as the user identifier

In addition, if StackOverflow supports OpenID Connect Migration 1.0, and assuming that Google returns your custom domain claimed_id in the Migration response, then:

1. Host the JSON document as described in http://openid.net/specs/openid-connect-migration-1_0.html#VerifyOPAuthority in your domain.

would smooth your way.