[mitreid-connect] openid connect with google
Len Takeuchi
len at jostle.me
Sun Apr 13 21:33:07 EDT 2014
Justin,
Thanks for your response to my question. So I tried what you suggested which
is to set up static server and client configuration. One thing that happened
was that the google's authorization url doesn't accept a nonce so I manually
removed the nonce from the failed browser redirect to the google
authorization url and manually submitted and I was able to go through login
process with google. Then eventually I get authentication failure back on my
(mitre) side: "ID token did not contain a nonce claim."
Regards,
Len
From: Justin Richer [mailto:jricher at MIT.EDU]
Sent: April-11-14 4:26 PM
To: Len Takeuchi; mitreid-connect at mit.edu
Subject: Re: [mitreid-connect] openid connect with google
Len,
I haven't personally tried connecting the client to Google yet, but I know
that Google's implementation is out of spec on one thing: their issuer URL
isn't a fully qualified URL, but rather just a hostname. They pushed the
capability with that bug before the bug was caught, and now they're a little
bit stuck with it until they can figure out how to transition people to the
"right" version.
I haven't tried this myself and I'm not sure if this will work, but you can
try this:
You could use a static issuer service and just point it at the Google
issuer, "accounts.google.com", because I don't think that they do webfinger
yet. You'd then need a static server configuration that includes the values
in the openid-configuration document listed below, because the dynamic
server configuration class won't be able to make a full URL out of Google's
out-of-spec issuer string. Next, you'll need a client configuration, and I'm
not sure if Google supports dynamic registration or not, but I don't think
they do so you might need to register a client with google and set up a
static client configuration bean as well. Wire all of those into your
client's RP and try it out.
-- Justin
On 4/11/2014 7:17 PM, Len Takeuchi wrote:
Hello,
I'm trying to use mitreid-connect to openid connect with google. In google
documentation
(https://developers.google.com/accounts/docs/OAuth2Login#discovery), they
specify that there is a specific URL to get the discovery document:
https://accounts.google.com/.well-known/openid-configuration
I'm trying work out what issuer service implementation I should use. Is it
the webfinger issuer service that I should use and the identifier would be
"accounts.google.com" or does google having a specific url to get the
discovery document not fit with any of the issue service implementation?
Regards,
Len
_______________________________________________
mitreid-connect mailing list
mitreid-connect at mit.edu
http://mailman.mit.edu/mailman/listinfo/mitreid-connect
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20140413/cd9bf19d/attachment.htm
More information about the mitreid-connect
mailing list