Login/Register
OpenID Connect delegation with Google now that they are deprecating their OpenID2 provider?
Asked Answered
Solved openidgoogle-openidopenid-connectstackexchange
L

3

31

For years I have used OpenID delegation to log in to Stack Overflow (among other sites) using my own URI as OpenID but having Google handle the authentication. I use the technique described in this Stack Overflow question; so, my custom OpenID http://tupelo-schneck.org/robert resolves to an HTML page containing this:

<link href="https://www.google.com/accounts/o8/ud" rel="openid2.provider" />
<link href="https://www.google.com/profiles/schneck" rel="openid2.local_id" />

Now, however, I have logged into Stack Overflow and had Google tell me "Important notice: OpenID2 for Google accounts is going away on April 20, 2015. Learn more." This page explains that Google has deprecated OpenID 2.0 and developers should migrate their apps to OpenID Connect.

Can I continue to use a custom URI for OpenID login, but delegate to Google's OpenID Connect provider for authentication? How?

Locomobile answered 14/1, 2015 at 14:15 Comment(0)
W
9

OpenID Connect only supports Discovery that is meant to find your Provider based on some hint you give it (e-mail, account, URL, domain etc.); it won't give you a persistent identifier for which you can delegate authentication to a configurable Provider of your choice.

So if you only want to use a custom URI to find your provider, you can use the approach that Nat gave (except for the last bit that Google does not and can not do and assuming that SO supports Discovery).

But if you want true delegation, so that RPs can use an identifier returned by the OP that is persistent over different OPs that you delegate to, then you can't.

For StackOverflow you probably don't need either one of those: SO uses its own primary identifier/account and you can link several accounts to that, including Google's. Only if SO would have used your custom URI as its primary identifier you would have had a problem. In this case there's no problem and you can:

  1. use the Google login button, or
  2. type your custom URI in the OpenID URL entry box, assuming both you and have implemented Discovery

But both 1. and 2. really yield the same result: they find out that Google is where you want to authenticate.

Wheels answered 20/1, 2015 at 20:2 Comment(1)
This may deserve a question of its own. I'd imagine Robert setup the delegation for much the same reason as I did: because I wanted to be able to swap out authentication providers without having to go to all the individual sites that use the custom URI as the user identifier. Stack Overflow/Exchange is one of the few sites that has the notion that an SO/SE user might have multiple identities, others simply don't. I don't want to set up something new if all that does is tie me to Google again. If I switch authentication providers, am I simply postponing the inevitable if others drop OpenID 2.0?Inkling
S
6

Assuming that you want to use your own domain as the user supplied login identifier --

  1. Go to https://stackoverflow.com/users/login-add?returnUrl=%2Fusers%2Fcurrent and Add a login using Google. This will add Google OpenID Connect identifier to your account.
  2. Host OpenID Connect discovery document at your domain (see http://openid.net/specs/openid-connect-discovery-1_0.html#URLSyntax for details.)
  3. Wait till StackOverflow start supporting OpenID Connect discovery
  4. Use http://tupelo-schneck.org/robert as the user identifier

In addition, if StackOverflow supports OpenID Connect Migration 1.0, and assuming that Google returns your custom domain claimed_id in the Migration response, then:

  1. Host the JSON document as described in http://openid.net/specs/openid-connect-migration-1_0.html#VerifyOPAuthority in your domain.

would smooth your way.

Steiermark answered 19/1, 2015 at 10:36 Comment(6)
I don't think Google can support returning the custom domain claimed_id because they have not stored that and it is not passed in. This would mean that true delegation is not supported but this is limited (assuming SO starts supporting discovery) to just discovery through a custom domain/name. The primary identifier would become a Google specific id which would most probably defeat the poster's objective.Wheels
yeah... otherwise, you can always set up your own IdP using my open source project like bitbucket.org/PEOFIAMP/phpoidc :-)Steiermark
Thanks! My reading of the discovery spec is that I'll need to use HTTPS. That's fine with me. The only hurdle is whether and when Stack Overflow will support OpenID Connect discovery. Anyone know? And finally, it doesn't look like I need migration since the same identifier (or the HTTPS version anyway) will continue to work. Any comments?Locomobile
Actually, maybe @HansZ. is saying this won't work. To put it another way, OpenID Connect discovery doesn't have any analogy of the "Claimed Identifier" vs "OP-Local Identifier" in OpenID2 delegation. I could have tupelo-schneck.org/robert claim that Google is the "Issuer" of that identifier, but since Google doesn't know or care about that identifier, it won't actually do any good. Is that right?Locomobile
Or is @HansZ. saying that I will be able to log in successfully with tupelo-schneck.org/robert, but Stack Overflow will think that I'm actually something.google.something? That might be good enough...Locomobile
indeed, the latter: if SO implements Discovery and you implement the Discover (webfinger) pieces on your domain then you will be able to use your URL for login but SO will still see the Google identifier; the alternative, just clicking the big "login with Google Account " button saves the hassle for both SO and you...Wheels
S
-4

Switching your OpenID provider from Google to Yahoo! on your site might work for you, until Yahoo! stops its OpenID 2.0 feature.

However, if you are OK for Nat's 1st suggestion, it would be more stable way for longer time.

Scavenger answered 20/1, 2015 at 0:25 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.