Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Google Apps Account as OpenID

9,759 views

Published on

  • Be the first to comment

Google Apps Account as OpenID

  1. 1. Google Apps Account as OpenID Timothy Chien http://blog.timc.idv.tw/ timdream@gmail.com 2010-10-31
  2. 2. Google Account as OpenID  It’s a feature introduced long time ago  Everyone can paste https://www.google.com/accounts/o8/id and login as your OpenID – It will be discovered by RP as an server endpoint, trigger an id_select login process – You will be issued an OpenID as https://www.google.com/accounts/o8/id? id=AItOwk...nqJOSI
  3. 3. Google Account as OpenID <?xml version="1.0" encoding="UTF-8"?> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> <XRD> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/server</Type> <Type>http://openid.net/srv/ax/1.0</Type> <Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type> <Type>http://specs.openid.net/extensions/ui/1.0/icon</Type> <Type>http://specs.openid.net/extensions/pape/1.0</Type> <URI>https://www.google.com/accounts/o8/ud</URI> </Service> </XRD> </xrds:XRDS>
  4. 4. “id_select” process?  New* in OpenID 2.0 – Which is introduced back in 2007  Indicate that user wishes to use a specific OpenID IdP, however he didn’t know/say his own OpenID  Therefore the “id_select” login process asks the OpenID IdP to select an ID for the user.  The other login process being “signon” process
  5. 5. OpenID Discovery for Apps  Use this URL https://www.google.com/accounts/o8/site-xrds?hd= for server endpoint discovery – You will be issued an OpenID as http://example.com/openid?id=1234567890 – Discovery info is hosted on given URL in order for RP to verify that Google is not lying
  6. 6. User Discovery Information  Described extensively in docs from Google – http://sites.google.com/site/oauthgoog/fedloginint erp/openiddiscovery – It even asked XRDS to be signed!  I made a PHP script for that – http://github.com/timdream/google-apps-openid – Works, but XRDS generated is not signed – Hosting your own XRDS defeat the purpose of Google Apps
  7. 7. User Discovery Information <?xml version="1.0" encoding="UTF-8"?> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> <XRD> <CanonicalID>http://example.com/openid?id=1234567890</CanonicalID> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/srv/ax/1.0</Type> <Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type> <Type>http://specs.openid.net/extensions/ui/1.0/icon</Type> <Type>http://specs.openid.net/extensions/pape/1.0</Type> <URI>https://www.google.com/a/example.com/o8/ud?be=o8</URI> </Service> </XRD> </xrds:XRDS>
  8. 8. Google’s Discovery Proposal for Hosted Domains  Something involved a special file located at “/.well- known/host-meta”  Won’t work on current OpenID ecosystems, unless you patch your RP library with Google-supplied extension. – http://code.google.com/googleapps/marketplace/sso.html#g s  Not sure how it solves “Google might be lying”
  9. 9. On User Interface  Trigger “id_select” process whenever possible – URL means little to average users – Enter Username/Password in different steps seems strange  Possible UI – “Enter your E-mail to continue” – Buttons  Be ware of NASCAR effect
  10. 10. example.com/jsmith jsmith@example.com example.com jsmith.example.com
  11. 11. Q&A

×