I am migrating from Google OpenID 2.0 to OpenID Connect. I am currently using Microsofts ACS which uses Googles depreciated OpenID 2.0 for authentication. This means my realm was automatically set to 'https://mywebsite.accesscontrol.windows.net:443/v2/openid'.

ACS has no plans to upgrade so I have begun integrating with Google OpenID Connect directly. I'm following Googles migration documentation which says I can add a openid.realm parameter (set as the realm used for OpenID 2.0) to then obtain the openid_id needed to map existing user accounts. Also it says the redirect_uri needs to be the same as the openid.realm. I guess for security reasons.

So my problem is I cannot set the redirect uri to the same as the realm because the realm is the ACS endpoint e.g.

https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=id.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Fmywebsite.com%3A2018%2F&scope=openid%20profile%20email&state=state&openid.realm=https%3A%2F%2Fmywebsite.accesscontrol.windows.net%3A443%2Fv2%2Fopenid

I have tried setting them different but I get an error

'Realm didn't match redirect_uri/origin. Error code: 5'

Is Google planning to support cases like this?

Any ideas on ways to get around this?

Old question, but in case it still matters, I think the Google docs actually say:

"Find your application's redirect_uri and change it (if necessary) so that it matches your OpenID 2.0 openid.realm value, according to the matching rules in section 9.2 of the OpenID 2.0 spec"

That boils down to the domain matching and the redirect_uri being a sub-path of the path in the openid.realm, if there is one.

Since your openid.realm included a path I think you're kind of screwed and you will have to resort to setting up some kind of redirection in your server to map the old redirect_url to your new path. Thankfully, in my case, I can set the redirect_url to any new path as my openid.realm only had a domain name.