<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Len,<br>
<br>
It sounds like that's another thing that Google is non-compliant
with, then, because the server must accept a nonce if given by the
client and must pass it through to the ID Token if present. From
the spec itself:<br>
<br>
<blockquote>If present in the Authentication Request,
Authorization Servers MUST include a <tt>nonce</tt> Claim in
the ID Token with the Claim Value being the nonce value sent in
the Authentication Request.<br>
</blockquote>
<br>
You might want to report that as a bug with Google. Our client
code expects its nonce claim to be passed through and checks for
it explicitly.<br>
<br>
-- Justin<br>
<br>
On 4/13/2014 9:33 PM, Len Takeuchi wrote:<br>
</div>
<blockquote cite="mid:081501cf5781$7d768230$78638690$@jostle.me"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;
mso-fareast-language:EN-US;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Justin,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thanks for your
response to my question. So I tried what you suggested which
is to set up static server and client configuration. One
thing that happened was that the google’s authorization url
doesn’t accept a nonce so I manually removed the nonce from
the failed browser redirect to the google authorization url
and manually submitted and I was able to go through login
process with google. Then eventually I get authentication
failure back on my (mitre) side: "ID token did not contain a
nonce claim."<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Len<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext;mso-fareast-language:EN-CA"
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext;mso-fareast-language:EN-CA"
lang="EN-US"> Justin Richer [<a class="moz-txt-link-freetext" href="mailto:jricher@MIT.EDU">mailto:jricher@MIT.EDU</a>] <br>
<b>Sent:</b> April-11-14 4:26 PM<br>
<b>To:</b> Len Takeuchi; <a class="moz-txt-link-abbreviated" href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a><br>
<b>Subject:</b> Re: [mitreid-connect] openid connect
with google<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Len,<br>
<br>
I haven't personally tried connecting the client to Google
yet, but I know that Google's implementation is out of spec
on one thing: their issuer URL isn't a fully qualified URL,
but rather just a hostname. They pushed the capability with
that bug before the bug was caught, and now they're a little
bit stuck with it until they can figure out how to
transition people to the "right" version. <br>
<br>
I haven't tried this myself and I'm not sure if this will
work, but you can try this:<br>
<br>
You could use a static issuer service and just point it at
the Google issuer, "accounts.google.com", because I don't
think that they do webfinger yet. You'd then need a static
server configuration that includes the values in the
openid-configuration document listed below, because the
dynamic server configuration class won't be able to make a
full URL out of Google's out-of-spec issuer string. Next,
you'll need a client configuration, and I'm not sure if
Google supports dynamic registration or not, but I don't
think they do so you might need to register a client with
google and set up a static client configuration bean as
well. Wire all of those into your client's RP and try it
out. <br>
<br>
-- Justin<br>
<br>
On 4/11/2014 7:17 PM, Len Takeuchi wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I’m trying to use mitreid-connect to
openid connect with google. In google documentation (<a
moz-do-not-send="true"
href="https://developers.google.com/accounts/docs/OAuth2Login#discovery">https://developers.google.com/accounts/docs/OAuth2Login#discovery</a>),
they specify that there is a specific URL to get the
discovery document:<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><a moz-do-not-send="true"
href="https://accounts.google.com/.well-known/openid-configuration">https://accounts.google.com/.well-known/openid-configuration</a><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I’m trying work out what issuer service
implementation I should use. Is it the webfinger issuer
service that I should use and the identifier would be
“accounts.google.com” or does google having a specific url
to get the discovery document not fit with any of the issue
service implementation?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<p class="MsoNormal">Len<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";mso-fareast-language:EN-CA"><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>mitreid-connect mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";mso-fareast-language:EN-CA"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
</body>
</html>