Query OpenID from web application via GData API
35 views
Skip to first unread message
Tyler Wilson
Sep 28, 2011, 10:51:54 PM9/28/11
to google-app...@googlegroups.com
Good day,
We have a web application and associated Gmail gadget we are developing. We need a way to query the Google Apps domain for a users OpenID so that we can properly associate that user with the requests that come in via the gadget. Unfortunately, I cannot find any way to get this information from Google Apps.
Anybody know how to do this, or have pointers to where I can read up on it?
Thank you,
Tyler
Gwyn Howell
Sep 29, 2011, 3:37:33 AM9/29/11
to google-app...@googlegroups.com
i have done something similar. if this is a gadget to work only on 1 google apps domain, then you can set the auth method to "Restricted to the following Google Apps Domain" (when creating the app engine), then on page load check for the user object and if it doesn't exist, to an auto redirect to the login url, and redirect back. for example:
user = users.get_current_user()
if user is None:
self.redirect(users.create_login_url(self.request.uri))
return
this will always work (and not end up in a infinate loop), as we know the user is logged in as the gadget is embedded in gmail.
a similar mechanism can be used using openid, but when you embed the gadget in gmail you will need to pass in the domain name, then query the domain name from your code and perform your open id instead of the redirect
Andy "Rufus" Rothfusz
Sep 30, 2011, 2:24:25 PM9/30/11
to google-app...@googlegroups.com
Hi Tyler,
Gwyn's answer is especially good if your back end is running on App Engine. For the more general case where you are running your own servers, please see "Single sign-on within gadgets" and the surrounding information on Authentication Best Practices (http://code.google.com/googleapps/marketplace/best_practices.html)
The example gadget code includes extracting the domain of the current user.
/Rufus
--
Andy "Rufus" Rothfusz | Developer Programs Engineer | Google | Mountain View, CA
Andy "Rufus" Rothfusz | Developer Programs Engineer | Google | Mountain View, CA
Alyxandor
Oct 6, 2011, 8:31:48 PM10/6/11
to google-app...@googlegroups.com
Please refer to the AX_EMAIL and other AX parameters. Google OpenID will send a mail parameter back to your auth point.
There is a known vulnerability with Attribute eXchange that can be avoided with libraries like Step2 or integrated appengine login.I'm not sure what libraries you are using to perform auth, so be aware that non-google openID providers can easily spoof this to hack your app.
Since you are doing a gmail gadget, so long as you do not allow users to enter any domain as openID provider, you should be ok...
Search the page for openid.ax.type.email
There is a known vulnerability with Attribute eXchange that can be avoided with libraries like Step2 or integrated appengine login.
Since you are doing a gmail gadget, so long as you do not allow users to enter any domain as openID provider, you should be ok...
But if users can, in any way, provide an arbitrary domain to login with, you should use additional encryption options to ensure the AX email contains the same domain as the openID provider.
Also, note that gmail gadgets {or at least the gwt gmail gadgets I've built} use a proxy server for your requests, and it will have a new session id with each request.
If you need to track authenticated session, you may want to use cookies or store an in-memory copy of the authed session key and send it along with every request.
David Albrecht
Oct 6, 2011, 9:09:21 PM10/6/11
to google-app...@googlegroups.com
Hi Alexander,
First things first, Google specifically addresses this point in their Authentication Best Practices document. Informed users will already be made aware of this problem with relying on AX.
In the second place, Google verifies that email addresses do, in fact, belong to accounts, so this is a non-issue for people building extensions/addons for the Google Apps platform.
The only time this could ever be a remote problem -- and I emphasize remote -- is if app authors are allowing federation with non-Google OpenID endpoints. We address this point in our app by checking that the OpenID endpoint is the Google one (not a third party's) to ensure the AX address can't be spoofed.
This isn't a big problem for most users of Google Apps. However, if you like solving these kinds of problems, come work for Wishery where we build on Google Apps, and treat security as a first-class concern.
DA
--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/2M6gKiLOw7MJ.
To post to this group, send email to google-app...@googlegroups.com.
To unsubscribe from this group, send email to google-apps-mgmt...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.
David R. Albrecht / albre...@gmail.com
http://davidralbrecht.com/
+1 (312) 445-0883
@davidralbrecht
Reply all
Reply to author
Forward
0 new messages