Hi all,
As this transition from OpenID 2.0 to OpenID Connect seems to be a
rather important issue, here is what I did to get old OpenID 2.0 user
identifiers from Google using Sylvain Medard's simpleSAMLphp module
(most of these things were already mentioned by Martin and others in
this thread, but I compiled them into one 'cookbook' to make things
clearer for other potential users).
First, you need to register your simpleSAMLphp as an OpenID Connect
consumer using Google Developers Console:
https://console.developers.google.com/
During the registration process, you must enter OpenID 2.0
'openid.realm' parameter as one of the REDIRECT URI values. You must
also enable Google+ API. For details please have a look at screenshots 1
and 2 in the attachment.
If you're not sure what is the correct 'openid.realm' value for your
OpenID 2.0 consumer, you can find it out by enabling 'openid' (OpenID
2.0) module in simpleSAMLphp and using SAML tracer Firefox addon
https://addons.mozilla.org/en-us/firefox/addon/saml-tracer/
to track traffic between your installation of simpleSAMLphp and Google
(screenshot 3).
Second, in your simpleSAMLphp 'authgoogle' module you have to make two
changes in ../modules/authgoogle/lib/Auth/Source/Google.php script.
Add the following code to 'finalStep' function:
...
$attributes = array();
// added by dvoncina
$encoded_token_info = explode( ".", $id_token );
$encoded_user_info = $encoded_token_info[1];
$decoded_user_info = Google_Utils::urlSafeB64Decode( $encoded_user_info );
$json_decoded_user_info = json_decode( $decoded_user_info, true );
$attributes['openid'] = array( $json_decoded_user_info['openid_id'] );
// end of added code
$attributes['google_uid'] = array($userinfo['sub']);
$attributes['google_name'] = array($userinfo['name']);
...
Then, adjust the authentication request URI by adding 'openid.realm'
parameter to $authorizeURL variable. By doing this you're telling Google
that you also want an old OpenID 2.0 user identifier to be returned:
...
$scopes = 'openid profile email';
// modified by dvoncina, replace '
https://cat.eduroam.org' with your
openid.realm value
$authorizeURL = '
https://accounts.google.com/o/oauth2/auth?'
. 'client_id=' . urlencode($this->key)
. '&redirect_uri=' .
urlencode($this->linkback)
. '&scope=' . urlencode($scopes)
. '&response_type=code'
. '&access_type=online'
. '&state=' . urlencode($stateID)
. '&openid.realm=' . urlencode(
'
https://cat.eduroam.org' )
// end of modified code
$session = SimpleSAML_Session::getInstance();
$session->setData('string', 'authStateId', $stateID);
...
Keep in mind that 'openid.realm' value must be identical to OpenID realm
which was used when your simpleSAMLphp was configured to use old
'openid' authentication module instead of 'authgoogle' module.
After you make the modifications described above, your OpenID Connect
consumer will also receive an old Google openid user identifier so your
application can perform internal mapping between old OpenID 2.0 (openid)
and new OAuth 2.0 (google_eppn) user identifiers.
Dubravko
----
Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre,
www.srce.unizg.hr
dubravko...@srce.hr, tel:
+385 98 219273, fax:
+385 1 6165559