Can not get OpenID AX extension to work with Google OP

Showing 1-3 of 3 messages
Can not get OpenID AX extension to work with Google OP Deron Meranda 11/5/08 2:38 PM
I'm trying to use the AX OpenID extension with Google, but I never
seem to get any attributes back.

My request actually contains all three SReg, AX, and PAPE extensions;
although I realize that Google currently only handles AX, and only the
email attribute at that.

The authentication request is being sent with these parameters to the
discovered URL <https://www.google.com/accounts/o8/ud> (some values
redacted here):

openid.assoc_handle=****ASSOC_HANDLE****
openid.ax.if_available=timezone,language,email
openid.ax.mode=fetch_request
openid.ax.type.email=http://axschema.org/contact/email
openid.ax.type.language=http://axschema.org/pref/language
openid.ax.type.timezone=http://axschema.org/pref/timezone
openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select
openid.identity=http://specs.openid.net/auth/2.0/identifier_select
openid.mode=checkid_setup
openid.ns=http://specs.openid.net/auth/2.0

openid.ns.ax=http://openid.net/srv/ax/1.0
openid.ns.pape=http://specs.openid.net/extensions/pape/1.0
openid.ns.sreg=http://openid.net/extensions/sreg/1.1
openid.pape.preferred_auth_policies=http://schemas.openid.net/pape/
policies/2007/06/multi-factor+http://schemas.openid.net/pape/policies/
2007/06/multi-factor-physical+http://schemas.openid.net/pape/policies/
2007/06/phishing-resistant

openid.realm=****MY_REALM****
openid.return_to=****MY_RETURNTO****
openid.sreg.optional=email,timezone,country,language
openid.sreg.required=fullname

I get to the Google verification page; but it does not list any
attributes that the RP is requesting (as in the example shown).  I do
get a successful authentication response; but it lists no AX
attributes either.

Are there any ideas on what is wrong?
--
Deron Meranda
Re: [google-federated-login-api] Can not get OpenID AX extension to work with Google OP Matthieu Huguet 11/5/08 3:02 PM
Hi Deron,

> I get to the Google verification page; but it does not list any
> attributes that the RP is requesting (as in the example shown).  I do
> get a successful authentication response; but it lists no AX
> attributes either.
>
> Are there any ideas on what is wrong?

I had the same issue, you have to set your email argument as
"required" in your AX request.

According to http://code.google.com/apis/accounts/docs/OpenID.html :
> openid.ext1.required     (optional) Required with attribute exchange. Specifies the attribute being requested. Currently, the only valid value is "email". This parameter must be set or Google will ignore the request.


I don't know if it work with a required parameter in the request with
no value (if you really want the email argument to be optionnal).
I didn't tested this case.

Re: [google-federated-login-api] Re: Can not get OpenID AX extension to work with Google OP Deron Meranda 11/5/08 3:40 PM
On Wed, Nov 5, 2008 at 6:02 PM, Matthieu Huguet <madm...@gmail.com> wrote:
>> I get to the Google verification page; but it does not list any
>> attributes that the RP is requesting (as in the example shown).  I do
>> get a successful authentication response; but it lists no AX
>> attributes either.
>>
>> Are there any ideas on what is wrong?
>
> I had the same issue, you have to set your email argument as
> "required" in your AX request.

Thanks, that works.

The email attribute must be listed in the openid.ax.required field; it is not
sufficient to list it in the openid.ax.if_available.


> According to http://code.google.com/apis/accounts/docs/OpenID.html :
>> openid.ext1.required     (optional) Required with attribute exchange. Specifies the attribute being requested. Currently, the only valid value is "email". This parameter must be set or Google will ignore the request.


Actually, the value can be anything; as long as the namespace is
<http://axschema.org/contact/email>.  I used the following just fine:

  openid.ax.required=xyz
  openid.ax.type.xyz=http://axschema.org/contact/email

I was also able to list other attributes like timezone in the required
field as well, but Google happily ignored all attributes except email.

However note that Google's documentation is specific to Google.
The OpenID standard seems more ambiguous and confusing on
this issue.  I'm not quite sure what the difference is supposed to be
between "required" and "if_available".


Of course, by reading the standard strictly, Google's behavior is
legal; although other interpretations could be possible too, like:

  * providing a checkbox to allow the user to choose which
    attributes to return to the RP, or
  * warning the user that other required attributes are not
    supported by Google, and hence the RP may "fail".

But I think this shows that the AX standard itself is not very well
defined in terms of explaining a *real* difference between required
and if_available (or I'm just not reading it right).  If Google
continues with this behavior when/if it adds support for other
attribute types; why would any RP ever use the "if_available"
parameter at all?

--
Deron Meranda