Bug 6900 - Allow use of Google account with OpenId
: Allow use of Google account with OpenId
Status: RESOLVED WORKSFORME
: GridShib
GridShib-CA
: 2.0.0
: All All
: P3 normal
: ---
Assigned To:
:
:
:
: 6913
  Show dependency treegraph
 
Reported: 2009-12-16 21:24 by
Modified: 2010-01-12 22:00 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2009-12-16 21:24:03
Apparently the OpenID to use with Google is:

https://www.google.com/accounts/o8/id

See, among other pages:

http://weblogs.asp.net/meligy/archive/2009/07/28/small-tip-use-your-google-account-openid-url-but-what-s-the-url.aspx

But this fails with the following error currently with the GridShib-CA OpenId
authentication:

OpenId error: The provided URL doesn't declare its OpenID identity server.
(no_identity_server)
------- Comment #1 From 2009-12-16 21:34:41 -------
Two links that may be relevant to this:
http://googlecode.blogspot.com/2009/11/hybrid-onboarding.html
http://code.google.com/apis/accounts/docs/OpenID.html
------- Comment #2 From 2009-12-30 21:26:38 -------
Marlon Pierce's post on using Google OpenId with openid4java:
http://communitygrids.blogspot.com/2009/12/quick-guide-to-using-googles-openid.html
------- Comment #3 From 2010-01-06 14:51:33 -------
Try other providers to see if this is a google-specific problem or not. See:
http://openid.net/get-an-openid/
------- Comment #4 From 2010-01-07 19:24:33 -------
Another good test would be to test it with the new OpenId support in the Shib
IdP:

https://spaces.internet2.edu/display/SHIB2/IdP+OpenID

Email sent asking if there is a testshib implementation with openid support.
------- Comment #5 From 2010-01-11 13:38:57 -------
(In reply to comment #3)
> Try other providers to see if this is a google-specific problem or not. See:
> http://openid.net/get-an-openid/

Verified GS-CA OpenId works with:
 Blogger: vwelch.blogspot.com
 MySpace: www.myspace.com/vonswelch (resolves to
http://www.myspace.com/von_welch)
 AOL: openid.aol.com/vonswelch
------- Comment #6 From 2010-01-11 14:01:20 -------
Suddenly this is working for me (and Jim) using an openid of:

https://www.google.com/accounts/o8/id

Not sure why is working now. I cannot think of anything that has changed on the
GS-CA end.

The resulting UserId is, uh, interesting:

UserId   
https://www.google.com/accounts/o8/id?id=AItOawmkHXcP0r7EcetS_1gR-5rmegCtAraGKww
IdP    https://www.google.com/accounts/o8/ud

From looking at Marlon's post (comment #2), looks like the email attribute
contains an real email address, which would be a much friendlier username.

I'm not currently pulling any OpenId attributes into the session, so I don't
know I'm getting the same attributes as Marlon.
------- Comment #7 From 2010-01-11 14:13:47 -------
In case problems come up with Google again, capturing what some interactions
with Google look like when things are working:

% wget --no-check-certificate https://www.google.com/accounts/o8/id
...snip...
% cat id
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
  <XRD>
  <Service priority="0">
  <Type>http://specs.openid.net/auth/2.0/server</Type>
  <Type>http://openid.net/srv/ax/1.0</Type>
  <Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type>
  <Type>http://specs.openid.net/extensions/ui/1.0/icon</Type>
  <Type>http://specs.openid.net/extensions/pape/1.0</Type>
  <URI>https://www.google.com/accounts/o8/ud</URI>
  </Service>
  </XRD>
</xrds:XRDS>
% wget --no-check-certificate https://www.google.com/accounts/o8/ud
--14:11:32--  https://www.google.com/accounts/o8/ud
           => `ud'
Resolving www.google.com... 209.85.225.105, 209.85.225.104, 209.85.225.106, ...
Connecting to www.google.com|209.85.225.105|:443... connected.
WARNING: Certificate verification error for www.google.com: unable to get local
issuer certificate
HTTP request sent, awaiting response... 400 Bad Request
14:11:32 ERROR 400: Bad Request.
------- Comment #8 From 2010-01-11 21:53:04 -------
(In reply to comment #6)
> Suddenly this is working for me (and Jim)

OK, the issue is that Google OpenID does not work for me when I'm running the
GSCA on my mac, but does when the GSCA is running on shibber.

I'm guessing it has something to do with the fact that the hostname I'm using
for my mac is not in the public DNS, just in /etc/hosts, and Google is relying
on that somehow.
------- Comment #9 From 2010-01-12 22:00:19 -------
Closing this bug since basic openid authentication with Google works.

Note that to get nicer attributes, such as email address, apparently Attribute
Exchange is needed. See Bug 6913.