Closed GoogleCodeExporter closed 9 years ago
This may no longer be an issue, now that google apps is in transition the
following will work:
java.util.List discoveries = cm.discover(
"https://www.google.com/accounts/o8/id" );
Original comment by stephen....@gmail.com
on 30 Apr 2011 at 3:50
Actually I think implementing support for Google Apps domain endpoints would
still be of some benefit. It provides a mechanism to restrict Google accounts
to a specific domain as well as a way to switch accounts if already signed in
under a different account.
Original comment by shang.xi...@gmail.com
on 9 May 2011 at 3:15
@stephen
But with this URL, it is possible to do a logon with any google account. How
can I change this, to allow only logons with google accounts from my domain
(Google apps)?
Original comment by rodr...@q10.com.br
on 11 Oct 2011 at 2:00
Looks like a deployment/configuration issue, not library specific. Reopen with
more info if otherwise.
Original comment by Johnny.B...@gmail.com
on 31 Oct 2012 at 10:08
Right, so this is a library issue, no a deploy/configuration problem.
The specific thing that happens is Google's oauth endpoint returns an URL that
is based on the hosted domain, except your hosted domain is probably _not_
running openid. Instead, Google's OpenID endpoint also returns a base uri onto
which you append the openid url, and Google serves up the expected OpenID data.
For example, let's use google.com instead of example.com (only because I don't
want to run discovery for anybody's organization)
The discovery url would be:
https://google.com/accounts/o8/site-xrds?hd=google.com
The output from that is:
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets"
/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
</ds:SignedInfo>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDLTCCApagAwIBAgIGR09PUAEgMA0GCSqGSIb3DQEBBQUAMEYxCzAJBgNVBAYTAlVTMRMwEQYDVQQK
EwpHb29nbGUgSW5jMSIwIAYDVQQDExlHb29nbGUgSW50ZXJuZXQgQXV0aG9yaXR5MB4XDTEyMTAzMTAw
MDAwMFoXDTEyMTEwMjAwMDAwMFowVjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzAR
BgNVBAoTCkdvb2dsZSBJbmMxHTAbBgNVBAMTFGhvc3RlZC1pZC5nb29nbGUuY29tMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQDAUzhAt+5eNx5AAXFZMxwIUR9wc3ACY8hHMkcZTYOhT9tJcoo2HuHXsgGQ
NmLZQkSA7p7LQlz5aM4GoXL9jOTeDJbbY+a2WOUNMPJQOe0OZM9kpAD8bBRxiVcUOJJdjMpYaUyZZ/VL
/LW+GF5wKkrHXaAYvS49g36IJIX+ed8/IwIDAQABo4IBFDCCARAwCQYDVR0TBAIwADAdBgNVHQ4EFgQU
Ci8WnKG/QQMpa1E9AELdlkXICEMwHwYDVR0jBBgwFoAUv8Aw6/VDET5nup6R+/xq2uNrEiQwWwYDVR0f
BFQwUjBQoE6gTIZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS9H
b29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcmwwZgYIKwYBBQUHAQEEWjBYMFYGCCsGAQUFBzAChkpodHRw
Oi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVybmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0
aG9yaXR5LmNydDANBgkqhkiG9w0BAQUFAAOBgQAFCTLrBvKCzH57X4TDWuKV9lyP79vIW8V1lXCdDzkF
BVhKJdjOTxBrhLPR6e+y0AIQxgvIz3EjVw21xhbBDHapzJD9ePhe2nBfxcuJZ9NCOcdZB5W5EHoDY0wp
6GvYkzQI6htu3pL3PAoBweJLx7yT9OgDOWESGPDKgqqKBXeuOg==</ds:X509Certificate>
<ds:X509Certificate>
MIICsDCCAhmgAwIBAgIDC2dxMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdF
cXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkw
NjA4MjA0MzI3WhcNMTMwNjA3MTk0MzI3WjBGMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIElu
YzEiMCAGA1UEAxMZR29vZ2xlIEludGVybmV0IEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAye23pIucV+eEPkB9hPSP0XFjU5nneXQUr0SZMyCSjXvlKAy6rWxJfoNfNFlOCnowzdDXxFdF
7dWq1nMmzq0yE7jXDx07393cCDaob1FEm8rWIFJztyaHNWrbqeXUWaUr/GcZOfqTGBhs3t0lig4zFEfC
7wFQeeT9adGnwKziV28CAwEAAaOBozCBoDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFL/AMOv1QxE+
Z7qekfv8atrjaxIkMB8GA1UdIwQYMBaAFEjmaPkr0rKV10fYIyAQTzOYkJ/UMBIGA1UdEwEB/wQIMAYB
Af8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVj
YS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAuIojxkiWsRF8YHdeBZqrocb6ghwYB8TrgbCoZutJqOkM0ymt
9e8kTP3kS8p/XmOrmSfLnzYhLLkQYGfN0rTw8Ktx5YtaiScRhKqOv5nwnQkhClIZmloJ0pC3+gz4fnii
sIWvXEyZ2VxVKfmlUUIuOss4jHg7y/j7lYe8vJD5UDI=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<XRD>
<CanonicalID>google.com</CanonicalID>
<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/server</Type>
<Type>http://openid.net/srv/ax/1.0</Type>
<Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type>
<Type>http://specs.openid.net/extensions/ui/1.0/icon</Type>
<Type>http://specs.openid.net/extensions/pape/1.0</Type>
<URI>https://www.google.com/a/google.com/o8/ud?be=o8</URI>
</Service>
<Service priority="0" xmlns:openid="http://openid.net/xmlns/2.5">
<Type>http://www.iana.org/assignments/relation/describedby</Type>
<MediaType>application/xrds+xml</MediaType>
<openid:URITemplate>https://www.google.com/accounts/o8/user-xrds?uri={%uri}</ope
nid:URITemplate>
<openid:NextAuthority>hosted-id.google.com</openid:NextAuthority>
</Service>
</XRD>
</xrds:XRDS>
Look for the <openid:URITemplate> tag. The value is used by the library as the
base URL for the OpenID verification. Let's say that your openid identity url
is:
http://google.com/openid?id=112487520454524558290
You'd append that to the URITemplate, and perform validation against this url:
https://www.google.com/accounts/o8/user-xrds?uri=http://google.com/openid?id=112
487520454524558290
It's a large target market for this special use case, so it would be really
excellent to build it into the library directly.
Original comment by sodab...@gmail.com
on 31 Oct 2012 at 10:17
Therefore please reopen this issue.
Original comment by sodab...@gmail.com
on 31 Oct 2012 at 10:18
(Also, thank you for bringing some energy back to this library! I see a lot of
recent commits, and that's really really awesome and appreciated!)
Original comment by sodab...@gmail.com
on 31 Oct 2012 at 10:20
Jenkins (the continuous integration system) used this subclass / workaround,
but it's not necessarily the most concise approach:
https://github.com/jenkinsci/openid-plugin/commit/c2f725f9dd25462edf95a5e3a59759
538ab23136
https://github.com/jenkinsci/openid-plugin/compare/51272cc7dd48...c2f725f9dd25
Original comment by sodab...@gmail.com
on 31 Oct 2012 at 10:26
Hi Can anyone fix this issue in SONAR as well. Jenkins have this functionality
of login using specific domain (google apps) in openID. However SONAR does not
provide functionality of login using specific domain.
Original comment by pardeep....@hcentive.com
on 4 Mar 2013 at 11:26
Original issue reported on code.google.com by
stephen....@gmail.com
on 26 Apr 2011 at 11:43