Google Apps Account as OpenID

9,441 views

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
9,441
On SlideShare
0
From Embeds
0
Number of Embeds
181
Actions
Shares
0
Downloads
29
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Google Apps Account as OpenID

  1. 1. Google Apps Account as OpenID Timothy Chien http://blog.timc.idv.tw/ timdream@gmail.com 2010-10-31
  2. 2. Google Account as OpenID  It’s a feature introduced long time ago  Everyone can paste https://www.google.com/accounts/o8/id and login as your OpenID – It will be discovered by RP as an server endpoint, trigger an id_select login process – You will be issued an OpenID as https://www.google.com/accounts/o8/id? id=AItOwk...nqJOSI
  3. 3. Google Account as OpenID <?xml version="1.0" encoding="UTF-8"?> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> <XRD> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/server</Type> <Type>http://openid.net/srv/ax/1.0</Type> <Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type> <Type>http://specs.openid.net/extensions/ui/1.0/icon</Type> <Type>http://specs.openid.net/extensions/pape/1.0</Type> <URI>https://www.google.com/accounts/o8/ud</URI> </Service> </XRD> </xrds:XRDS>
  4. 4. “id_select” process?  New* in OpenID 2.0 – Which is introduced back in 2007  Indicate that user wishes to use a specific OpenID IdP, however he didn’t know/say his own OpenID  Therefore the “id_select” login process asks the OpenID IdP to select an ID for the user.  The other login process being “signon” process
  5. 5. OpenID Discovery for Apps  Use this URL https://www.google.com/accounts/o8/site-xrds?hd= for server endpoint discovery – You will be issued an OpenID as http://example.com/openid?id=1234567890 – Discovery info is hosted on given URL in order for RP to verify that Google is not lying
  6. 6. User Discovery Information  Described extensively in docs from Google – http://sites.google.com/site/oauthgoog/fedloginint erp/openiddiscovery – It even asked XRDS to be signed!  I made a PHP script for that – http://github.com/timdream/google-apps-openid – Works, but XRDS generated is not signed – Hosting your own XRDS defeat the purpose of Google Apps
  7. 7. User Discovery Information <?xml version="1.0" encoding="UTF-8"?> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> <XRD> <CanonicalID>http://example.com/openid?id=1234567890</CanonicalID> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/srv/ax/1.0</Type> <Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type> <Type>http://specs.openid.net/extensions/ui/1.0/icon</Type> <Type>http://specs.openid.net/extensions/pape/1.0</Type> <URI>https://www.google.com/a/example.com/o8/ud?be=o8</URI> </Service> </XRD> </xrds:XRDS>
  8. 8. Google’s Discovery Proposal for Hosted Domains  Something involved a special file located at “/.well- known/host-meta”  Won’t work on current OpenID ecosystems, unless you patch your RP library with Google-supplied extension. – http://code.google.com/googleapps/marketplace/sso.html#g s  Not sure how it solves “Google might be lying”
  9. 9. On User Interface  Trigger “id_select” process whenever possible – URL means little to average users – Enter Username/Password in different steps seems strange  Possible UI – “Enter your E-mail to continue” – Buttons  Be ware of NASCAR effect
  10. 10. example.com/jsmith jsmith@example.com example.com jsmith.example.com
  11. 11. Q&A

×