Menu
I'm trying to implement OpenId login for a web application. Whenever new user who logs in via OpenId I create a new user on the sustem, and among the data I store their openid URL, so that next time they login with that user.
I'm testing this with my Gmail OpenID, and the problem is that everytime I do this, Google sends a different openid URL, that is, https://www.google.com/accounts/o8/id?id=SomethingThatChangesFromTimeToTime
Of course I'm then not able to tell wheter this is or not a new user. I'm a bit puzzled: shouldn't the openid identifier always remain the same?
520
Google's OAuth 2.0 APIs can be used for both authentication and authorization. This document describes our OAuth 2.0 implementation for authentication, which conforms to the OpenID Connect specification, and is OpenID Certified.
An ID token is an artifact that proves that the user has been authenticated. It was introduced by OpenID Connect (OIDC), an open standard for authentication used by many identity providers such as Google, Facebook, and, of course, Auth0. Check out this document for more details on OpenID Connect.
The access token is set with a reasonably lower expiration time of 30 mins. The refresh token is set with a very long expiration time of 200 days.
OAuth 2.0 allows users to share specific data with an application while keeping their usernames, passwords, and other information private. For example, an application can use OAuth 2.0 to obtain permission from users to store files in their Google Drives. This OAuth 2.0 flow is called the implicit grant flow.
Google's OpenID identifier is more or less a hashed representation of multiple data including the host the request came from (more exactly the openid.realm parameter sent to the provider). So if your host changes from time to time (like the port and ip address changes), then the ID will change from time to time too. StackOverflow uses a workaround for this issue too. Check these posts:
Here is an FAQ excerpt from google:
Q: The OpenID spec says that the
openid.realmis optional, and that if not provided, Google should use theopenid.return_toURL instead. Will that work?A: It will work in the sense that the protocol will complete successfully. But if your
return_toURL is something likewww.example.com/authenticate?style=openid-federated_login, you are asking us to prompt users to approve and trust a specific address at your site, which is not user-friendly. Also, if you omit theopenid.realmparameter, you will never be able to change yourreturn_toURL: It will also implicitly change the realm and the URL identifiers of your Google Account users.
61
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
