compatibility with google app accounts with custom domains

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Sign up for google apps http://www.google.com/apps/intl/en/group/index.html
2. Configure opeind4java to use google app provider
java.util.List discoveries = cm.discover( "https://www.google.com/
accounts/o8/site-xrds?hd=example.com" );

What is the expected output?  Sucessful login

What do you see instead?
Received 2011-04-15 09:52:12,809 INFO  [ConsumerManager:1147] Received
positive auth response.

2011-04-15 09:52:13,384 ERROR [OpenIdServlet:126] OpenID Error:
org.openid4java.discovery.yadis.YadisException: 0x706: GET failed on 
http://example.com/openid?id=112487520454524558290 :  404:HTTP/1.1 404 Not 
Found  at 
org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver
.java:371)

What version of the product are you using? On what operating system? maven 
repository - linux

Please provide any additional information below.

Original issue reported on code.google.com by stephen....@gmail.com on 26 Apr 2011 at 11:43

[GoogleCodeExporter]

This may no longer be an issue, now that google apps is in transition the 
following will work:

java.util.List discoveries = cm.discover( 
"https://www.google.com/accounts/o8/id" );

Original comment by stephen....@gmail.com on 30 Apr 2011 at 3:50

[GoogleCodeExporter]

Actually I think implementing support for Google Apps domain endpoints would 
still be of some benefit. It provides a mechanism to restrict Google accounts 
to a specific domain as well as a way to switch accounts if already signed in 
under a different account.

Original comment by shang.xi...@gmail.com on 9 May 2011 at 3:15

[GoogleCodeExporter]

@stephen

But with this URL, it is possible to do a logon with any google account. How 
can I change this, to allow only logons with google accounts from my domain 
(Google apps)?

Original comment by rodr...@q10.com.br on 11 Oct 2011 at 2:00

[GoogleCodeExporter]

Looks like a deployment/configuration issue, not library specific. Reopen with 
more info if otherwise.

Original comment by Johnny.B...@gmail.com on 31 Oct 2012 at 10:08

• Changed state: Invalid

[GoogleCodeExporter]

Right, so this is a library issue, no a deploy/configuration problem.

The specific thing that happens is Google's oauth endpoint returns an URL that 
is based on the hosted domain, except your hosted domain is probably _not_ 
running openid. Instead, Google's OpenID endpoint also returns a base uri onto 
which you append the openid url, and Google serves up the expected OpenID data.

For example, let's use google.com instead of example.com (only because I don't 
want to run discovery for anybody's organization)

The discovery url would be:
https://google.com/accounts/o8/site-xrds?hd=google.com

The output from that is:
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod 
Algorithm="http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets" 
/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
</ds:SignedInfo>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDLTCCApagAwIBAgIGR09PUAEgMA0GCSqGSIb3DQEBBQUAMEYxCzAJBgNVBAYTAlVTMRMwEQYDVQQK
EwpHb29nbGUgSW5jMSIwIAYDVQQDExlHb29nbGUgSW50ZXJuZXQgQXV0aG9yaXR5MB4XDTEyMTAzMTAw
MDAwMFoXDTEyMTEwMjAwMDAwMFowVjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzAR
BgNVBAoTCkdvb2dsZSBJbmMxHTAbBgNVBAMTFGhvc3RlZC1pZC5nb29nbGUuY29tMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQDAUzhAt+5eNx5AAXFZMxwIUR9wc3ACY8hHMkcZTYOhT9tJcoo2HuHXsgGQ
NmLZQkSA7p7LQlz5aM4GoXL9jOTeDJbbY+a2WOUNMPJQOe0OZM9kpAD8bBRxiVcUOJJdjMpYaUyZZ/VL
/LW+GF5wKkrHXaAYvS49g36IJIX+ed8/IwIDAQABo4IBFDCCARAwCQYDVR0TBAIwADAdBgNVHQ4EFgQU
Ci8WnKG/QQMpa1E9AELdlkXICEMwHwYDVR0jBBgwFoAUv8Aw6/VDET5nup6R+/xq2uNrEiQwWwYDVR0f
BFQwUjBQoE6gTIZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS9H
b29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcmwwZgYIKwYBBQUHAQEEWjBYMFYGCCsGAQUFBzAChkpodHRw
Oi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVybmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0
aG9yaXR5LmNydDANBgkqhkiG9w0BAQUFAAOBgQAFCTLrBvKCzH57X4TDWuKV9lyP79vIW8V1lXCdDzkF
BVhKJdjOTxBrhLPR6e+y0AIQxgvIz3EjVw21xhbBDHapzJD9ePhe2nBfxcuJZ9NCOcdZB5W5EHoDY0wp
6GvYkzQI6htu3pL3PAoBweJLx7yT9OgDOWESGPDKgqqKBXeuOg==</ds:X509Certificate>
<ds:X509Certificate>
MIICsDCCAhmgAwIBAgIDC2dxMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdF
cXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkw
NjA4MjA0MzI3WhcNMTMwNjA3MTk0MzI3WjBGMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIElu
YzEiMCAGA1UEAxMZR29vZ2xlIEludGVybmV0IEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAye23pIucV+eEPkB9hPSP0XFjU5nneXQUr0SZMyCSjXvlKAy6rWxJfoNfNFlOCnowzdDXxFdF
7dWq1nMmzq0yE7jXDx07393cCDaob1FEm8rWIFJztyaHNWrbqeXUWaUr/GcZOfqTGBhs3t0lig4zFEfC
7wFQeeT9adGnwKziV28CAwEAAaOBozCBoDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFL/AMOv1QxE+
Z7qekfv8atrjaxIkMB8GA1UdIwQYMBaAFEjmaPkr0rKV10fYIyAQTzOYkJ/UMBIGA1UdEwEB/wQIMAYB
Af8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVj
YS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAuIojxkiWsRF8YHdeBZqrocb6ghwYB8TrgbCoZutJqOkM0ymt
9e8kTP3kS8p/XmOrmSfLnzYhLLkQYGfN0rTw8Ktx5YtaiScRhKqOv5nwnQkhClIZmloJ0pC3+gz4fnii
sIWvXEyZ2VxVKfmlUUIuOss4jHg7y/j7lYe8vJD5UDI=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<XRD>
<CanonicalID>google.com</CanonicalID>
<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/server</Type>
<Type>http://openid.net/srv/ax/1.0</Type>
<Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type>
<Type>http://specs.openid.net/extensions/ui/1.0/icon</Type>
<Type>http://specs.openid.net/extensions/pape/1.0</Type>
<URI>https://www.google.com/a/google.com/o8/ud?be=o8</URI>
</Service>
<Service priority="0" xmlns:openid="http://openid.net/xmlns/2.5">
<Type>http://www.iana.org/assignments/relation/describedby</Type>
<MediaType>application/xrds+xml</MediaType>
<openid:URITemplate>https://www.google.com/accounts/o8/user-xrds?uri={%uri}</ope
nid:URITemplate>
<openid:NextAuthority>hosted-id.google.com</openid:NextAuthority>
</Service>
</XRD>
</xrds:XRDS>

Look for the <openid:URITemplate> tag. The value is used by the library as the 
base URL for the OpenID verification. Let's say that your openid identity url 
is:

http://google.com/openid?id=112487520454524558290

You'd append that to the URITemplate, and perform validation against this url:

https://www.google.com/accounts/o8/user-xrds?uri=http://google.com/openid?id=112
487520454524558290

It's a large target market for this special use case, so it would be really 
excellent to build it into the library directly.

Original comment by sodab...@gmail.com on 31 Oct 2012 at 10:17

[GoogleCodeExporter]

Therefore please reopen this issue.

Original comment by sodab...@gmail.com on 31 Oct 2012 at 10:18

[GoogleCodeExporter]

(Also, thank you for bringing some energy back to this library! I see a lot of 
recent commits, and that's really really awesome and appreciated!)

Original comment by sodab...@gmail.com on 31 Oct 2012 at 10:20

[GoogleCodeExporter]

Jenkins (the continuous integration system) used this subclass / workaround, 
but it's not necessarily the most concise approach:

https://github.com/jenkinsci/openid-plugin/commit/c2f725f9dd25462edf95a5e3a59759
538ab23136
https://github.com/jenkinsci/openid-plugin/compare/51272cc7dd48...c2f725f9dd25

Original comment by sodab...@gmail.com on 31 Oct 2012 at 10:26

[GoogleCodeExporter]

Hi Can anyone fix this issue in SONAR as well. Jenkins have this functionality 
of login using specific domain (google apps) in openID. However SONAR does not 
provide functionality of login using specific domain. 

Original comment by pardeep....@hcentive.com on 4 Mar 2013 at 11:26