Google auth (OpenID Connect support)
425 views
Skip to first unread message
Stefan Winter
Jan 12, 2015, 1:49:42 AM1/12/15
to simple...@googlegroups.com
Hello,
just touching base on the issue of Google dropping OpenID in favour of
OpenID Connect and the need to migrate user IDs to Connect-style.
I notice that the April deadline that Google has set is coming closer...
but there's no OpenID Connect consumer in SSP's git yet? And if
anything, the OpenID consumer has gone away entirely?
Last time I asked here on the list, I was told something's coming up and
OIDC will be supported in SSP some time soon. Any ETA?
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
just touching base on the issue of Google dropping OpenID in favour of
OpenID Connect and the need to migrate user IDs to Connect-style.
I notice that the April deadline that Google has set is coming closer...
but there's no OpenID Connect consumer in SSP's git yet? And if
anything, the OpenID consumer has gone away entirely?
Last time I asked here on the list, I was told something's coming up and
OIDC will be supported in SSP some time soon. Any ETA?
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Dick Visser
Jan 12, 2015, 10:53:15 AM1/12/15
to simplesamlphp
Hi Stefan
We're also facing this issue with our SP proxy, which includes a
Google login option, which is based on the soon-to-die OpenID.
After some testing with Sylvain Medard's module at
https://github.com/sylvainmed/simplesamlphp/tree/master/modules/authgoogle
we implemented that.
The problem was like you already found out, the ID that Google returns
isn't available any more.
We were able to 'work around' it by using the e-mail address instead -
these are the same with both modules.
That new authgoogle module is now part of a bigger git repository.
We plan to give it a new home under the GÉANT Git repository (once we
set that up) and set that up in such a way that it can be installed
with composer.
Dick
> --
> You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at http://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
--
Dick Visser
Sr. System & Networking Engineer
GÉANT Association, Amsterdam Office (formerly TERENA)
Singel 468D, 1017 AW Amsterdam, the Netherlands
Tel: +31 (0) 20 530 4488
GÉANT Association
Networking. Services. People.
Learn more at: http://www.géant.org
We're also facing this issue with our SP proxy, which includes a
Google login option, which is based on the soon-to-die OpenID.
After some testing with Sylvain Medard's module at
https://github.com/sylvainmed/simplesamlphp/tree/master/modules/authgoogle
we implemented that.
The problem was like you already found out, the ID that Google returns
isn't available any more.
We were able to 'work around' it by using the e-mail address instead -
these are the same with both modules.
That new authgoogle module is now part of a bigger git repository.
We plan to give it a new home under the GÉANT Git repository (once we
set that up) and set that up in such a way that it can be installed
with composer.
Dick
> You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at http://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
--
Dick Visser
Sr. System & Networking Engineer
GÉANT Association, Amsterdam Office (formerly TERENA)
Singel 468D, 1017 AW Amsterdam, the Netherlands
Tel: +31 (0) 20 530 4488
GÉANT Association
Networking. Services. People.
Learn more at: http://www.géant.org
Stefan Winter
Jan 13, 2015, 6:05:52 AM1/13/15
to simple...@googlegroups.com
Hi,
> We're also facing this issue with our SP proxy, which includes a
> Google login option, which is based on the soon-to-die OpenID.
>
> After some testing with Sylvain Medard's module at
> https://github.com/sylvainmed/simplesamlphp/tree/master/modules/authgoogle
> we implemented that.
Looks good. It might need a bit more love, but great to see that it works.
One of the things it doesn't do is "dynamic discovery" of metadata.
OpenID Connect uses IETF "well-known locations" (a bit like the DNS
NAPTR thing that we do in RADIUS, but much less fancy and web-based) for
much of the metadata discovery, but some of the paths are hardcoded into
the module. The discovery part in the module is in comments:
// Google Discovery Document
/*$dd = 'https://accounts.google.com/.well-known/openid-configuration';
$xmlddresponse = $this->curl_file_get_contents($dd);
SimpleSAML_Logger::debug('Google Response: '.$xmlddresponse);*/
But... why? The contents of this file contain Google's OIDC metadata
collection, and when Google moves its URLs, consumers can get the notice
immediately.
Instead, there is e.g. this LOC:
const federated_signon_certs_url =
'https://www.googleapis.com/oauth2/v1/certs';
And... it is meanwhile outdated! Browsing to the well-known URL shows
that there is a new URL there: https://www.googleapis.com/oauth2/v2/certs
> The problem was like you already found out, the ID that Google returns
> isn't available any more.
>
> We were able to 'work around' it by using the e-mail address instead -
> these are the same with both modules.
Google has a transition master plan which details how to migrate from
old-style to new-style identifiers; someone just needs to take some
module code in his hands and implement it. The plan is here:
https://developers.google.com/accounts/docs/OpenID#openid-connect
The crucial part is:
"When you construct your OpenID Connect authentication URI, include an
extra argument, the openid.realm parameter. Use the same value that you
used for the openid.realm parameter in your OpenID 2.0 requests."
You then get a new-style ID still, but as an extra attribute the
old-style ID.
The module could save both so that a dictionary with the mappings can be
built over time as people log in.
> That new authgoogle module is now part of a bigger git repository.
> We plan to give it a new home under the GÉANT Git repository (once we
> set that up) and set that up in such a way that it can be installed
> with composer.
All with the (short) April deadline in mind?
Stefan
> We're also facing this issue with our SP proxy, which includes a
> Google login option, which is based on the soon-to-die OpenID.
>
> After some testing with Sylvain Medard's module at
> https://github.com/sylvainmed/simplesamlphp/tree/master/modules/authgoogle
> we implemented that.
One of the things it doesn't do is "dynamic discovery" of metadata.
OpenID Connect uses IETF "well-known locations" (a bit like the DNS
NAPTR thing that we do in RADIUS, but much less fancy and web-based) for
much of the metadata discovery, but some of the paths are hardcoded into
the module. The discovery part in the module is in comments:
// Google Discovery Document
/*$dd = 'https://accounts.google.com/.well-known/openid-configuration';
$xmlddresponse = $this->curl_file_get_contents($dd);
SimpleSAML_Logger::debug('Google Response: '.$xmlddresponse);*/
But... why? The contents of this file contain Google's OIDC metadata
collection, and when Google moves its URLs, consumers can get the notice
immediately.
Instead, there is e.g. this LOC:
const federated_signon_certs_url =
'https://www.googleapis.com/oauth2/v1/certs';
And... it is meanwhile outdated! Browsing to the well-known URL shows
that there is a new URL there: https://www.googleapis.com/oauth2/v2/certs
> The problem was like you already found out, the ID that Google returns
> isn't available any more.
>
> We were able to 'work around' it by using the e-mail address instead -
> these are the same with both modules.
old-style to new-style identifiers; someone just needs to take some
module code in his hands and implement it. The plan is here:
https://developers.google.com/accounts/docs/OpenID#openid-connect
The crucial part is:
"When you construct your OpenID Connect authentication URI, include an
extra argument, the openid.realm parameter. Use the same value that you
used for the openid.realm parameter in your OpenID 2.0 requests."
You then get a new-style ID still, but as an extra attribute the
old-style ID.
The module could save both so that a dictionary with the mappings can be
built over time as people log in.
> That new authgoogle module is now part of a bigger git repository.
> We plan to give it a new home under the GÉANT Git repository (once we
> set that up) and set that up in such a way that it can be installed
> with composer.
Stefan
ml...@ebridge.sk
Jan 15, 2015, 3:03:10 AM1/15/15
to simple...@googlegroups.com
Hi,
at this time, i'm working on implementation upgrade from Google OpenID to oAuth2.0 using SimpleSAMLphp and i found that, there is issue regarding receiving old openID identifier of our users. I didn't find solution which will work for us yet. Problem is probably because openid.realm is not matched or Google stop to provide old openID [who knows?]. In this status, only one way how to resolve if user is accessing account created based on openID is to compare email.
Martin
Stefan Winter
Jan 15, 2015, 3:10:12 AM1/15/15
to simple...@googlegroups.com
Hi,
> at this time, i'm working on implementation upgrade from Google OpenID
> to oAuth2.0 using SimpleSAMLphp and i found that, there is issue
> regarding receiving old openID identifier of our users. I didn't find
> solution which will work for us yet. Problem is probably because
> openid.realm is not matched or Google stop to provide old openID [who
> knows?].
Google knows :-) Their migration time table at
> at this time, i'm working on implementation upgrade from Google OpenID
> to oAuth2.0 using SimpleSAMLphp and i found that, there is issue
> regarding receiving old openID identifier of our users. I didn't find
> solution which will work for us yet. Problem is probably because
> openid.realm is not matched or Google stop to provide old openID [who
> knows?].
https://developers.google.com/+/api/auth-migration#timetable states:
"However, mapping of OpenID 2.0 identifiers to OAuth 2.0 identifiers
will continue to work until January 1, 2017. "
> In this status, only one way how to resolve if user is
> accessing account created based on openID is to compare email.
you set in openid.realm?
Stefan
> <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66>
>
> --
> You received this message because you are subscribed to the Google
> Groups "simpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to simplesamlph...@googlegroups.com
> <mailto:simplesamlph...@googlegroups.com>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "simpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to simplesamlph...@googlegroups.com
> To post to this group, send email to simple...@googlegroups.com
> <mailto:simple...@googlegroups.com>.
> Visit this group at http://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
> For more options, visit https://groups.google.com/d/optout.
ml...@ebridge.sk
Jan 15, 2015, 3:26:10 AM1/15/15
to simple...@googlegroups.com
Thanks Stefan.
That's the whole problem, i'm not sure, but when i checked my old authentication process(still working), i'm sending same realm as i used in new setup but we are not receiving any openid_id.Only for sure:
I'm sending openid.realm in authenticate() function of Google.php script as follow:
$authorizeURL = 'https://accounts.google.com/o/oauth2/auth?'
. 'openid.realm='.urlencode($this->openIDrealm)
. '&client_id=' . urlencode($this->key)
. '&redirect_uri=' . urlencode($this->linkback)
. '&scope=' . urlencode($this->scope)
. '&response_type=code'
. '&access_type=online'
. '&state=' . urlencode($stateID)and i also tried to send it in finalSetp() function like this:
$url = 'https://www.googleapis.com/plus/v1/people/me/openIdConnect?access_token='.$accesstoken.'&openid.realm='.urlencode($this->openIDrealm);I added same realm to Google developer console of new project under Credentials "redirect uris"
But no results.
Do you have positive experience with receiving openid_id field?
Martin
> <mailto:simplesamlphp+unsub...@googlegroups.com>.
Stefan Winter
Jan 15, 2015, 4:36:19 AM1/15/15
to simple...@googlegroups.com
Hi,
> I added same realm to Google developer console of new project under
> Credentials "redirect uris"
>
> But no results.
>
> Do you have positive experience with receiving openid_id field?
No; I only read that this is how it should work.
Assuming taht $this->openIDRealm is actually set to what was previously
the config item authsources / google / realm (defaulted to
"http://*.example.org" ) then this would look correct.
Formatting might be biting you as you use urlencode and the realm
contains to-be-escaped characters. If you have any way to verify what is
actually going onto the wire, that would certainly help. Not so totally
easy with https URLs though.
Stefan
> > an email to simplesamlph...@googlegroups.com <javascript:>
> > <mailto:simplesamlph...@googlegroups.com <javascript:>>.
> > <mailto:simple...@googlegroups.com <javascript:>>.
> I added same realm to Google developer console of new project under
> Credentials "redirect uris"
>
> But no results.
>
> Do you have positive experience with receiving openid_id field?
Assuming taht $this->openIDRealm is actually set to what was previously
the config item authsources / google / realm (defaulted to
"http://*.example.org" ) then this would look correct.
Formatting might be biting you as you use urlencode and the realm
contains to-be-escaped characters. If you have any way to verify what is
actually going onto the wire, that would certainly help. Not so totally
easy with https URLs though.
Stefan
> > <mailto:simplesamlph...@googlegroups.com <javascript:>>.
> > To post to this group, send email to simple...@googlegroups.com
> <javascript:>
> > <mailto:simple...@googlegroups.com <javascript:>>.
> > Visit this group at http://groups.google.com/group/simplesamlphp
> <http://groups.google.com/group/simplesamlphp>.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66>
>
> --
> You received this message because you are subscribed to the Google
> Groups "simpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to simplesamlph...@googlegroups.com
> <mailto:simplesamlph...@googlegroups.com>.
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66>
>
> --
> You received this message because you are subscribed to the Google
> Groups "simpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to simplesamlph...@googlegroups.com
ml...@ebridge.sk
Jan 15, 2015, 5:11:32 AM1/15/15
to simple...@googlegroups.com
It is looks to me, that it is only written, but i'm not able to find anybody who has working solution :(.
I tried to find any contact to Google support for this, but i found only Toll service(phone/email). It will be great to receive right info about my realm values stored by Google, or if there is not a bug. Because is incomprehensible for me to not receive any openid_id field (also wrong one), or error or something.
Martin
> > <mailto:simplesamlphp+unsub...@googlegroups.com <javascript:>>.
> <mailto:simplesamlphp+unsub...@googlegroups.com>.
ml...@ebridge.sk
Jan 15, 2015, 5:16:39 AM1/15/15
to simple...@googlegroups.com
And i forgot, our realm is secured [https], but i hope this is not a issue :-/
Martin
ml...@ebridge.sk
Jan 15, 2015, 7:22:47 AM1/15/15
to simple...@googlegroups.com
Finaly i found solution!
1. Google doesn't return openid_id field[for me] in authenticate response, i don't know if this is case or bug
2. so you can find openid_id value, just decoding id_token value using JWT decoder [$json_body = Google_Utils::urlSafeB64Decode($segments[1]);]
id_token consist of this values: [0]envelope; [1]payload; [2]sigature
SimpleSAMLphp authgoogle module does this, but it is not return payload value back. My working solution was to return $payload at the end of verifySignedJwtWithCerts() function and inside of finalStep() function i added $payload['openid_id'] value to $attributes, which are returned to me after successfull sign in process :))
Now i can easily map new SUB id with old OPEN ID provided by Google.
Hope this helps
Martin
Stefan Winter
Jan 15, 2015, 8:09:41 AM1/15/15
to simple...@googlegroups.com
Hi,
good to hear that it works!
Now what would be very convenient would be:
* store old <-> new mapping into a sqlite DB
and have an option in the module to state:
* return old identifiers as ID
* return new identifiers as ID
One could keep SSP running with old identifiers until the shutdown day
(April), collecting all/many/frequently used user ID bindings in the
meantime; and on flag day, switch to new identifiers in your
application, and start using the new ones from then on. Users which have
logged in in the meantime are transitioned automatically.
That would enable a smooth(ish) transition. Its smoothness is smoother
the earlier it's in place, because then more users can be automatically
mapped from old to new ID.
Stefan
On 15.01.2015 13:22, ml...@ebridge.sk wrote:
> Finaly i found solution!
>
> 1. Google doesn't return openid_id field[for me] in authenticate
> response, i don't know if this is case or bug
> 2. so you can find openid_id value, just decoding *id_token *value using
> "http://*.example.org <http://example.org>" ) then this
> > > <mailto:simplesamlph...@googlegroups.com
> > <mailto:simplesamlph...@googlegroups.com>.
good to hear that it works!
Now what would be very convenient would be:
* store old <-> new mapping into a sqlite DB
and have an option in the module to state:
* return old identifiers as ID
* return new identifiers as ID
One could keep SSP running with old identifiers until the shutdown day
(April), collecting all/many/frequently used user ID bindings in the
meantime; and on flag day, switch to new identifiers in your
application, and start using the new ones from then on. Users which have
logged in in the meantime are transitioned automatically.
That would enable a smooth(ish) transition. Its smoothness is smoother
the earlier it's in place, because then more users can be automatically
mapped from old to new ID.
Stefan
On 15.01.2015 13:22, ml...@ebridge.sk wrote:
> Finaly i found solution!
>
> 1. Google doesn't return openid_id field[for me] in authenticate
> response, i don't know if this is case or bug
> > To post to this group, send email to
> simple...@googlegroups.com
> > <mailto:simple...@googlegroups.com>.
> > Visit this group at
> simple...@googlegroups.com
> > <mailto:simple...@googlegroups.com>.
> > Visit this group at
> http://groups.google.com/group/simplesamlphp
> <http://groups.google.com/group/simplesamlphp>.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education
> Nationale et
> de la Recherche
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails
> if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66>
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "simpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to simplesamlph...@googlegroups.com
> <mailto:simplesamlph...@googlegroups.com>.
> <http://groups.google.com/group/simplesamlphp>.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education
> Nationale et
> de la Recherche
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails
> if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66>
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "simpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to simplesamlph...@googlegroups.com
Dubravko Vončina
Feb 13, 2015, 1:35:12 PM2/13/15
to simple...@googlegroups.com, stefan...@restena.lu, twoln@umk.pl >> Tomasz Wolniewicz
Hi all,
As this transition from OpenID 2.0 to OpenID Connect seems to be a
rather important issue, here is what I did to get old OpenID 2.0 user
identifiers from Google using Sylvain Medard's simpleSAMLphp module
(most of these things were already mentioned by Martin and others in
this thread, but I compiled them into one 'cookbook' to make things
clearer for other potential users).
First, you need to register your simpleSAMLphp as an OpenID Connect
consumer using Google Developers Console:
https://console.developers.google.com/
During the registration process, you must enter OpenID 2.0
'openid.realm' parameter as one of the REDIRECT URI values. You must
also enable Google+ API. For details please have a look at screenshots 1
and 2 in the attachment.
If you're not sure what is the correct 'openid.realm' value for your
OpenID 2.0 consumer, you can find it out by enabling 'openid' (OpenID
2.0) module in simpleSAMLphp and using SAML tracer Firefox addon
https://addons.mozilla.org/en-us/firefox/addon/saml-tracer/
to track traffic between your installation of simpleSAMLphp and Google
(screenshot 3).
Second, in your simpleSAMLphp 'authgoogle' module you have to make two
changes in ../modules/authgoogle/lib/Auth/Source/Google.php script.
Add the following code to 'finalStep' function:
...
$attributes = array();
// added by dvoncina
$encoded_token_info = explode( ".", $id_token );
$encoded_user_info = $encoded_token_info[1];
$decoded_user_info = Google_Utils::urlSafeB64Decode( $encoded_user_info );
$json_decoded_user_info = json_decode( $decoded_user_info, true );
$attributes['openid'] = array( $json_decoded_user_info['openid_id'] );
// end of added code
$attributes['google_uid'] = array($userinfo['sub']);
$attributes['google_name'] = array($userinfo['name']);
...
Then, adjust the authentication request URI by adding 'openid.realm'
parameter to $authorizeURL variable. By doing this you're telling Google
that you also want an old OpenID 2.0 user identifier to be returned:
...
$scopes = 'openid profile email';
// modified by dvoncina, replace 'https://cat.eduroam.org' with your
openid.realm value
$authorizeURL = 'https://accounts.google.com/o/oauth2/auth?'
. 'client_id=' . urlencode($this->key)
'https://cat.eduroam.org' )
// end of modified code
$session = SimpleSAML_Session::getInstance();
$session->setData('string', 'authStateId', $stateID);
...
Keep in mind that 'openid.realm' value must be identical to OpenID realm
which was used when your simpleSAMLphp was configured to use old
'openid' authentication module instead of 'authgoogle' module.
After you make the modifications described above, your OpenID Connect
consumer will also receive an old Google openid user identifier so your
application can perform internal mapping between old OpenID 2.0 (openid)
and new OAuth 2.0 (google_eppn) user identifiers.
Dubravko
----
Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko...@srce.hr, tel: +385 98 219273, fax: +385 1 6165559
As this transition from OpenID 2.0 to OpenID Connect seems to be a
rather important issue, here is what I did to get old OpenID 2.0 user
identifiers from Google using Sylvain Medard's simpleSAMLphp module
(most of these things were already mentioned by Martin and others in
this thread, but I compiled them into one 'cookbook' to make things
clearer for other potential users).
First, you need to register your simpleSAMLphp as an OpenID Connect
consumer using Google Developers Console:
https://console.developers.google.com/
During the registration process, you must enter OpenID 2.0
'openid.realm' parameter as one of the REDIRECT URI values. You must
also enable Google+ API. For details please have a look at screenshots 1
and 2 in the attachment.
If you're not sure what is the correct 'openid.realm' value for your
OpenID 2.0 consumer, you can find it out by enabling 'openid' (OpenID
2.0) module in simpleSAMLphp and using SAML tracer Firefox addon
https://addons.mozilla.org/en-us/firefox/addon/saml-tracer/
to track traffic between your installation of simpleSAMLphp and Google
(screenshot 3).
Second, in your simpleSAMLphp 'authgoogle' module you have to make two
changes in ../modules/authgoogle/lib/Auth/Source/Google.php script.
Add the following code to 'finalStep' function:
...
$attributes = array();
// added by dvoncina
$encoded_token_info = explode( ".", $id_token );
$encoded_user_info = $encoded_token_info[1];
$decoded_user_info = Google_Utils::urlSafeB64Decode( $encoded_user_info );
$json_decoded_user_info = json_decode( $decoded_user_info, true );
$attributes['openid'] = array( $json_decoded_user_info['openid_id'] );
// end of added code
$attributes['google_uid'] = array($userinfo['sub']);
$attributes['google_name'] = array($userinfo['name']);
...
Then, adjust the authentication request URI by adding 'openid.realm'
parameter to $authorizeURL variable. By doing this you're telling Google
that you also want an old OpenID 2.0 user identifier to be returned:
...
$scopes = 'openid profile email';
// modified by dvoncina, replace 'https://cat.eduroam.org' with your
openid.realm value
$authorizeURL = 'https://accounts.google.com/o/oauth2/auth?'
. 'client_id=' . urlencode($this->key)
. '&redirect_uri=' .
urlencode($this->linkback)
. '&scope=' . urlencode($scopes)
urlencode($this->linkback)
. '&response_type=code'
. '&access_type=online'
. '&state=' . urlencode($stateID)
. '&openid.realm=' . urlencode(
. '&access_type=online'
. '&state=' . urlencode($stateID)
'https://cat.eduroam.org' )
// end of modified code
$session = SimpleSAML_Session::getInstance();
$session->setData('string', 'authStateId', $stateID);
...
Keep in mind that 'openid.realm' value must be identical to OpenID realm
which was used when your simpleSAMLphp was configured to use old
'openid' authentication module instead of 'authgoogle' module.
After you make the modifications described above, your OpenID Connect
consumer will also receive an old Google openid user identifier so your
application can perform internal mapping between old OpenID 2.0 (openid)
and new OAuth 2.0 (google_eppn) user identifiers.
Dubravko
----
Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko...@srce.hr, tel: +385 98 219273, fax: +385 1 6165559
Jaime Perez Crespo
Mar 3, 2015, 5:45:27 AM3/3/15
to simple...@googlegroups.com, stefan...@restena.lu, twoln@umk.pl >> Tomasz Wolniewicz
Hi Dubravko & all,
I was wondering whether it makes sense to have this as a more elaborate tutorial part of SimpleSAMLphp documentation, so that users can benefit from these guidelines directly. What do you think?
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
I was wondering whether it makes sense to have this as a more elaborate tutorial part of SimpleSAMLphp documentation, so that users can benefit from these guidelines directly. What do you think?
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at http://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
> <screenshot_1.png><screenshot_2.png><screenshot_3.png>
> For more options, visit https://groups.google.com/d/optout.
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Dubravko Vončina
Mar 6, 2015, 12:50:37 PM3/6/15
to simple...@googlegroups.com
Hello Jaime,
I'm not sure I understand what exactly do you mean when you say that
this could be turned into a more elaborate tutorial part of
simpleSAMLphp documentation, but I agree with anything that will make
things easier for people who want to implement support for Google
authentication in simpleSAMLphp.
And of course, if I can help in any way, I'd be glad to do so.
Dubravko
---
Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko...@srce.hr, tel: +385 98 219273, fax: +385 1 6165559
I'm not sure I understand what exactly do you mean when you say that
this could be turned into a more elaborate tutorial part of
simpleSAMLphp documentation, but I agree with anything that will make
things easier for people who want to implement support for Google
authentication in simpleSAMLphp.
And of course, if I can help in any way, I'd be glad to do so.
Dubravko
---
Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko...@srce.hr, tel: +385 98 219273, fax: +385 1 6165559
Jaime Perez Crespo
Mar 9, 2015, 9:22:34 AM3/9/15
to simple...@googlegroups.com
Hi Dubravko,
> On 06 Mar 2015, at 18:50 pm, Dubravko Vončina <dubravko...@srce.hr> wrote:
> Hello Jaime,
>
> I'm not sure I understand what exactly do you mean when you say that this could be turned into a more elaborate tutorial part of simpleSAMLphp documentation, but I agree with anything that will make things easier for people who want to implement support for Google authentication in simpleSAMLphp.
> And of course, if I can help in any way, I'd be glad to do so.
What I’m basically thinking is that many people would need to go through this process, so having some notes to guide them should be helpful. So I thought it might make sense to put your notes together as a bit more elaborate document included in the documentation. Would you be able to prepare something like that and submit a pull request?
> On 06 Mar 2015, at 18:50 pm, Dubravko Vončina <dubravko...@srce.hr> wrote:
> Hello Jaime,
>
> I'm not sure I understand what exactly do you mean when you say that this could be turned into a more elaborate tutorial part of simpleSAMLphp documentation, but I agree with anything that will make things easier for people who want to implement support for Google authentication in simpleSAMLphp.
> And of course, if I can help in any way, I'd be glad to do so.
Stefan Winter
Apr 8, 2015, 2:26:28 AM4/8/15
to simple...@googlegroups.com, twoln@umk.pl >> Tomasz Wolniewicz
Hi,
this guide really made my day! I just followed it 1:1 and got a working
Goodle OIDC auth working :-)
> After you make the modifications described above, your OpenID Connect
> consumer will also receive an old Google openid user identifier so your
> application can perform internal mapping between old OpenID 2.0 (openid)
> and new OAuth 2.0 (google_eppn) user identifiers.
Regarding this mapping, it's probably worth noting on the list that the
old "openid" identifiers are not sent by Google for eternity! They are
only in the responses until 01 Jan 2017; so everyone who now thinks
"ah, I just use the openid attribute and lean back" will need to think
again in a year or so.
In my own deployment, I decided to log both identifiers into a tiny SQL
table. Now I keep recording both the old and new identifiers as people
log in. The rest of my database currently uses the old identifiers for
user identification; but at some point near 01 Jan 2017, I can do a
simple flag day operation which rewrites the my database entries with
the new identifiers that my table learned over the past year. A sample
table to record things is:
DROP TABLE IF EXISTS `usermapping`;
CREATE TABLE `usermapping` (
`rowindex` int(11) NOT NULL AUTO_INCREMENT,
`old_id` varchar(256) NOT NULL DEFAULT 'UNKNOWN',
`new_id` varchar(256) NOT NULL DEFAULT 'UNKNOWN',
PRIMARY KEY (`rowindex`),
UNIQUE KEY `openid` (`old_id`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
And the SQL, just after having performed authentication, is as simple as:
DBConnection::exec("EXTERNAL", "INSERT INTO usermapping (old_id, new_id)
VALUES('$user','". $admininfo['google_eppn'][0] ."') ON DUPLICATE KEY
UPDATE new_id = '". $admininfo['google_eppn'][0] ."'");
(the function DBConnection::exec is my own code, use your own SQL
caller! :-) )
Greetings,
Stefan Winter
this guide really made my day! I just followed it 1:1 and got a working
Goodle OIDC auth working :-)
> After you make the modifications described above, your OpenID Connect
> consumer will also receive an old Google openid user identifier so your
> application can perform internal mapping between old OpenID 2.0 (openid)
> and new OAuth 2.0 (google_eppn) user identifiers.
old "openid" identifiers are not sent by Google for eternity! They are
only in the responses until 01 Jan 2017; so everyone who now thinks
"ah, I just use the openid attribute and lean back" will need to think
again in a year or so.
In my own deployment, I decided to log both identifiers into a tiny SQL
table. Now I keep recording both the old and new identifiers as people
log in. The rest of my database currently uses the old identifiers for
user identification; but at some point near 01 Jan 2017, I can do a
simple flag day operation which rewrites the my database entries with
the new identifiers that my table learned over the past year. A sample
table to record things is:
DROP TABLE IF EXISTS `usermapping`;
CREATE TABLE `usermapping` (
`rowindex` int(11) NOT NULL AUTO_INCREMENT,
`old_id` varchar(256) NOT NULL DEFAULT 'UNKNOWN',
`new_id` varchar(256) NOT NULL DEFAULT 'UNKNOWN',
PRIMARY KEY (`rowindex`),
UNIQUE KEY `openid` (`old_id`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
And the SQL, just after having performed authentication, is as simple as:
DBConnection::exec("EXTERNAL", "INSERT INTO usermapping (old_id, new_id)
VALUES('$user','". $admininfo['google_eppn'][0] ."') ON DUPLICATE KEY
UPDATE new_id = '". $admininfo['google_eppn'][0] ."'");
(the function DBConnection::exec is my own code, use your own SQL
caller! :-) )
Greetings,
Stefan Winter
Stefan Winter
Apr 8, 2015, 2:26:33 AM4/8/15
to simple...@googlegroups.com
Hi,
>> I'm not sure I understand what exactly do you mean when you say that this could be turned into a more elaborate tutorial part of simpleSAMLphp documentation, but I agree with anything that will make things easier for people who want to implement support for Google authentication in simpleSAMLphp.
>> And of course, if I can help in any way, I'd be glad to do so.
>
> What I’m basically thinking is that many people would need to go through this process, so having some notes to guide them should be helpful. So I thought it might make sense to put your notes together as a bit more elaborate document included in the documentation. Would you be able to prepare something like that and submit a pull request?
First of all, a big Thanks to Dubravko for his HOWTO. It was very
helpful indeed. I have one addition (see my separate post in this
thread), but in terms of "documentation" TBH I think a bit more than a
guide would be nice (and Dubravko's mail from 13 Feb is a very good
primer for such a guide already!):
The whole process depends on the OIDC / googleauth module by Sylvain
Medard. It would make things a lot more straightforward if that module
would become part of the default distribution and with its authsource
configuration as comments in the supplied authsources.php.
This would condense the HOWTO significantly. Of course getting the two
patches by Dubravko into that module's code would also help.
Greetings,
Stefan Winter
>> I'm not sure I understand what exactly do you mean when you say that this could be turned into a more elaborate tutorial part of simpleSAMLphp documentation, but I agree with anything that will make things easier for people who want to implement support for Google authentication in simpleSAMLphp.
>> And of course, if I can help in any way, I'd be glad to do so.
>
> What I’m basically thinking is that many people would need to go through this process, so having some notes to guide them should be helpful. So I thought it might make sense to put your notes together as a bit more elaborate document included in the documentation. Would you be able to prepare something like that and submit a pull request?
helpful indeed. I have one addition (see my separate post in this
thread), but in terms of "documentation" TBH I think a bit more than a
guide would be nice (and Dubravko's mail from 13 Feb is a very good
primer for such a guide already!):
The whole process depends on the OIDC / googleauth module by Sylvain
Medard. It would make things a lot more straightforward if that module
would become part of the default distribution and with its authsource
configuration as comments in the supplied authsources.php.
This would condense the HOWTO significantly. Of course getting the two
patches by Dubravko into that module's code would also help.
Greetings,
Stefan Winter
Reply all
Reply to author
Forward
0 new messages