[mitreid-connect] openid connect with google

Justin Richer jricher at MIT.EDU
Sun Apr 13 21:55:37 EDT 2014 

Len,

It sounds like that's another thing that Google is non-compliant with, 
then, because the server must accept a nonce if given by the client and 
must pass it through to the ID Token if present. From the spec itself:

    If present in the Authentication Request, Authorization Servers MUST
    include a nonce Claim in the ID Token with the Claim Value being the
    nonce value sent in the Authentication Request.


You might want to report that as a bug with Google. Our client code 
expects its nonce claim to be passed through and checks for it explicitly.

  -- Justin

On 4/13/2014 9:33 PM, Len Takeuchi wrote:
>
> Justin,
>
> Thanks for your response to my question. So I tried what you suggested 
> which is to set up static server and client configuration. One thing 
> that happened was that the google's authorization url doesn't accept a 
> nonce so I manually removed the nonce from the failed browser redirect 
> to the google authorization url and manually submitted and I was able 
> to go through login process with google. Then eventually I get 
> authentication failure back on my (mitre) side: "ID token did not 
> contain a nonce claim."
>
> Regards,
>
> Len
>
> *From:*Justin Richer [mailto:jricher at MIT.EDU]
> *Sent:* April-11-14 4:26 PM
> *To:* Len Takeuchi; mitreid-connect at mit.edu
> *Subject:* Re: [mitreid-connect] openid connect with google
>
> Len,
>
> I haven't personally tried connecting the client to Google yet, but I 
> know that Google's implementation is out of spec on one thing: their 
> issuer URL isn't a fully qualified URL, but rather just a hostname. 
> They pushed the capability with that bug before the bug was caught, 
> and now they're a little bit stuck with it until they can figure out 
> how to transition people to the "right" version.
>
> I haven't tried this myself and I'm not sure if this will work, but 
> you can try this:
>
> You could use a static issuer service and just point it at the Google 
> issuer, "accounts.google.com", because I don't think that they do 
> webfinger yet. You'd then need a static server configuration that 
> includes the values in the openid-configuration document listed below, 
> because the dynamic server configuration class won't be able to make a 
> full URL out of Google's out-of-spec issuer string. Next, you'll need 
> a client configuration, and I'm not sure if Google supports dynamic 
> registration or not, but I don't think they do so you might need to 
> register a client with google and set up a static client configuration 
> bean as well. Wire all of those into your client's RP and try it out.
>
>  -- Justin
>
> On 4/11/2014 7:17 PM, Len Takeuchi wrote:
>
>     Hello,
>
>     I'm trying to use mitreid-connect to openid connect with google.
>     In google documentation
>     (https://developers.google.com/accounts/docs/OAuth2Login#discovery),
>     they specify that there is a specific URL to get the discovery
>     document:
>
>     https://accounts.google.com/.well-known/openid-configuration
>
>     I'm trying work out what issuer service implementation I should
>     use. Is it the webfinger issuer service that I should use and the
>     identifier would be "accounts.google.com" or does google having a
>     specific url to get the discovery document not fit with any of the
>     issue service implementation?
>
>     Regards,
>
>     Len
>
>
>
>
>     _______________________________________________
>
>     mitreid-connect mailing list
>
>     mitreid-connect at mit.edu  <mailto:mitreid-connect at mit.edu>
>
>     http://mailman.mit.edu/mailman/listinfo/mitreid-connect
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20140413/beb5b09a/attachment.htm

More information about the mitreid-connect mailing list