FW: [Openid-specs-ab] We have published a discovery doc & JWK endpoint

101 views
Skip to first unread message

Mike Jones

unread,
Mar 11, 2014, 2:50:39 PM3/11/14
to openid-conn...@googlegroups.com

Google has published a configuration endpoint and JWK Set endpoint.  It would be great if people could try those with their implementations.

 

FYI, the configuration contains "issuer": "accounts.google.com", which makes sense since that’s their “iss” value in their ID Tokens.  But if your code is checking for https://, you’ll have to special case Google here like you already have to do for their “iss” value, for things to work.

 

                                                                -- Mike

 

From: Mike Jones
Sent: Tuesday, March 11, 2014 11:47 AM
To: 'Tim Bray'; <openid-...@lists.openid.net>
Subject: RE: [Openid-specs-ab] We have published a discovery doc & JWK endpoint

 

Looks good.  I added this to the interop info at http://osis.idcommons.net/wiki/OC5:Google_Deployment.

 

Are you also planning on deploying https://accounts.google.com/.well-known/webfinger so that your configuration information is discoverable?  Doing so should be pretty trivial, as I believe that the response can be a static page, unless you’re doing something else with WebFinger as well.

 

                                                                -- Mike

 

From: openid-spec...@lists.openid.net [mailto:openid-spec...@lists.openid.net] On Behalf Of Tim Bray
Sent: Monday, March 10, 2014 12:21 PM
To: <openid-...@lists.openid.net>
Subject: [Openid-specs-ab] We have published a discovery doc & JWK endpoint

 

Hans Zandbelt

unread,
Mar 12, 2014, 9:38:59 AM3/12/14
to openid-conn...@googlegroups.com, tb...@textuality.com
It seems that Google does not support HTTP basic authentication
against the token endpoint; the response is:

{\n "error" : "invalid_request"\n}

Embedding the client_id/client_secret in the POST fields does work.

The Discovery spec says in section "3. OpenID Provider Metadata":
that if no "token_endpoint_auth_types_supported" entry is found
in the metadata, HTTP Basic Authentication should be used as the
default method.

Hence it would be better if Google extended its OP metadata data with:

"token_endpoint_auth_types_supported": ["client_secret_post"]

Hans.

On 3/11/14, 7:50 PM, Mike Jones wrote:
> Google has published a configuration endpoint and JWK Set endpoint. It
> would be great if people could try those with their implementations.
>
> FYI, the configuration contains "issuer": "accounts.google.com", which
> makes sense since that’s their “iss” value in their ID Tokens. But if
> your code is checking for https://, you’ll have to special case Google
> here like you already have to do for their “iss” value, for things to work.
>
> -- Mike
>
> *From:*Mike Jones
> *Sent:* Tuesday, March 11, 2014 11:47 AM
> *To:* 'Tim Bray'; <openid-...@lists.openid.net>
> *Subject:* RE: [Openid-specs-ab] We have published a discovery doc & JWK
> endpoint
>
> Looks good. I added this to the interop info at
> http://osis.idcommons.net/wiki/OC5:Google_Deployment.
>
> Are you also planning on deploying
> https://accounts.google.com/.well-known/webfingerso that your
> configuration information is discoverable? Doing so should be pretty
> trivial, as I believe that the response can be a static page, unless
> you’re doing something else with WebFinger as well.
>
> -- Mike
>
> *From:*openid-spec...@lists.openid.net
> <mailto:openid-spec...@lists.openid.net>
> [mailto:openid-spec...@lists.openid.net] *On Behalf Of *Tim Bray
> *Sent:* Monday, March 10, 2014 12:21 PM
> *To:* <openid-...@lists.openid.net
> <mailto:openid-...@lists.openid.net>>
> *Subject:* [Openid-specs-ab] We have published a discovery doc & JWK
> endpoint
>
> Start at https://accounts.google.com/.well-known/openid-configuration
>
> Hope it works...
>
> --
> You received this message because you are subscribed to the Google
> Groups "OpenID Connect Interop" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to openid-connect-in...@googlegroups.com
> <mailto:openid-connect-in...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.

--
Hans Zandbelt | Sr. Technical Architect
hzan...@pingidentity.com | Ping Identity

John Bradley

unread,
Mar 12, 2014, 9:41:44 AM3/12/14
to openid-conn...@googlegroups.com, tb...@textuality.com
Yes, they should add that if they are not supporting the default.
> To unsubscribe from this group and stop receiving emails from it, send an email to openid-connect-in...@googlegroups.com.

Hans Zandbelt

unread,
Dec 8, 2014, 3:31:53 PM12/8/14
to Adam Dawes, Breno de Medeiros, Naveen Agarwal, John Bradley, openid-conn...@googlegroups.com
FYI, I just experienced the same issue as described here:
http://stackoverflow.com/questions/27363481/cannot-authenticate-anymore-with-new-google-oauth-2-0-token-endpoint-v3

new endpoint with string value "3600":
https://www.googleapis.com/oauth2/v3/token
(which is in the current published metadata)

old endpoint with number value 3600:
https://accounts.google.com/o/oauth2/token

Looks like a bug to me.

Hans.

Naveen Agarwal

unread,
Dec 8, 2014, 3:34:29 PM12/8/14
to Hans Zandbelt, Adam Dawes, Breno de Medeiros, John Bradley, openid-conn...@googlegroups.com

Thanks for letting us know. We'll have a look.

John Bradley

unread,
Dec 8, 2014, 3:37:53 PM12/8/14
to openid-conn...@googlegroups.com, Hans Zandbelt, Adam Dawes, Breno de Medeiros
Yes "expires_in"  should be a int not a string,  That is a OAuth bug,

Ping Identity logo
John Bradley
Sr. Technical Architect
@jbra...@pingidentity.com
phone+1 202.470.2512 or +44 20.8133.2512
Connect with me…
twitter logo youtube logo LinkedIn logo Facebook logo Google+ logo slideshare logo flipboard logo rss feed icon







--
You received this message because you are subscribed to the Google Groups "OpenID Connect Interop" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openid-connect-in...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages