Google Apps openid
173 views
Skip to first unread message
Ishaaq Chandy
May 5, 2010, 11:47:57 PM5/5/10
to Repo and Gerrit Discussion
Hi guys,
Has anyone else seen problems with using Google Apps based openid on
Gerrit?
When I try to login with my Google Apps openid url (which is of the
form: https://www.google.com/accounts/o8/site-xrds?hd=example.com) I
get redirected to Google's openid login/auth process successfully but
then when I get redirected to Gerrit my user is not registered. Gerrit
is not alone in this, I tested against other openid sites like
stackoverflow.com (which does give me an error unlike Gerrit).
So, further investigation revealed that apparently google's "Federated
Login for Google Account Users" uses a proprietary openid extension (I
might have worded this wrong - if so forgive me - I am new to this)
which means that not all sites support openid urls originating from
Google Apps accounts.
Has anyone else seen this behaviour with Gerrit? Are there any
workarounds that will allow me to use Gerrit with Google Apps account
logins?
Regards,
Ishaaq
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
Has anyone else seen problems with using Google Apps based openid on
Gerrit?
When I try to login with my Google Apps openid url (which is of the
form: https://www.google.com/accounts/o8/site-xrds?hd=example.com) I
get redirected to Google's openid login/auth process successfully but
then when I get redirected to Gerrit my user is not registered. Gerrit
is not alone in this, I tested against other openid sites like
stackoverflow.com (which does give me an error unlike Gerrit).
So, further investigation revealed that apparently google's "Federated
Login for Google Account Users" uses a proprietary openid extension (I
might have worded this wrong - if so forgive me - I am new to this)
which means that not all sites support openid urls originating from
Google Apps accounts.
Has anyone else seen this behaviour with Gerrit? Are there any
workarounds that will allow me to use Gerrit with Google Apps account
logins?
Regards,
Ishaaq
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
Shawn Pearce
May 6, 2010, 2:34:29 PM5/6/10
to Ishaaq Chandy, Repo and Gerrit Discussion
Ishaaq Chandy <ish...@gmail.com> wrote:
> Has anyone else seen problems with using Google Apps based openid on
> Gerrit?
Yes. :-(
> Has anyone else seen problems with using Google Apps based openid on
> Gerrit?
> When I try to login with my Google Apps openid url (which is of the
> form: https://www.google.com/accounts/o8/site-xrds?hd=example.com) I
> get redirected to Google's openid login/auth process successfully but
> then when I get redirected to Gerrit my user is not registered. Gerrit
> is not alone in this, I tested against other openid sites like
> stackoverflow.com (which does give me an error unlike Gerrit).
>
> So, further investigation revealed that apparently google's "Federated
> Login for Google Account Users" uses a proprietary openid extension (I
> might have worded this wrong - if so forgive me - I am new to this)
> which means that not all sites support openid urls originating from
> Google Apps accounts.
>
> Has anyone else seen this behaviour with Gerrit? Are there any
> workarounds that will allow me to use Gerrit with Google Apps account
> logins?
matches the email address of your Google Apps account. Its ugly,
but it works, and is what the @android.com domain users are using.
Go to https://www.google.com/accounts/NewAccount to create a new
account. Enter your Google Apps email address. Select the same
(or a new) password.
Now when you use Gerrit Code Review, or any other OpenID site,
use the normal Google OpenID URL (like for Gmail accounts) and,
enter this email address and password.
It can be a bit confusing, because you really do have two different
accounts now with Google, and they have the exact same email address.
Ishaaq Chandy
May 6, 2010, 9:55:35 PM5/6/10
to Shawn Pearce, Repo and Gerrit Discussion
Actually, after I sent that message I found a workaround:
This only works if you have admin access to the webserver that drives
the main host (example.com in the rest of this discussion) - which is
ok for me because that's what we do, only subhosts like
mail.example.com, calendar.example.com get redirected to Google Apps.
1. Create a file that is accessible via http://example.com/openid
2. Ensure that the webserver reports the file's MIME as application/xrds+xml
3. The contents of the file should be:
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/signon</Type>
<URI>https://www.google.com/a/example.com/o8/ud?be=o8</URI>
</Service>
<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/server</Type>
<URI>https://www.google.com/a/example.com/o8/ud?be=o8</URI>
</Service>
</XRD>
</xrds:XRDS>
4. Once the above is done, the openid url users use to login to Gerrit
is then: https://www.google.com/accounts/o8/site-xrds?hd=example.com
That login url is a bit long and ugly - which is a shame, ideally I
would have like to use just http://example.com - which, in theory, at
least according to Google's docs, should have worked but does not
because it uses Google's experimental openid discovery mechanism which
openid4java does not support.
Ishaaq
This only works if you have admin access to the webserver that drives
the main host (example.com in the rest of this discussion) - which is
ok for me because that's what we do, only subhosts like
mail.example.com, calendar.example.com get redirected to Google Apps.
1. Create a file that is accessible via http://example.com/openid
2. Ensure that the webserver reports the file's MIME as application/xrds+xml
3. The contents of the file should be:
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/signon</Type>
<URI>https://www.google.com/a/example.com/o8/ud?be=o8</URI>
</Service>
<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/server</Type>
<URI>https://www.google.com/a/example.com/o8/ud?be=o8</URI>
</Service>
</XRD>
</xrds:XRDS>
4. Once the above is done, the openid url users use to login to Gerrit
is then: https://www.google.com/accounts/o8/site-xrds?hd=example.com
That login url is a bit long and ugly - which is a shame, ideally I
would have like to use just http://example.com - which, in theory, at
least according to Google's docs, should have worked but does not
because it uses Google's experimental openid discovery mechanism which
openid4java does not support.
Ishaaq
Jay Soffian
May 7, 2010, 4:08:05 PM5/7/10
to Ishaaq Chandy, Shawn Pearce, Repo and Gerrit Discussion
On Thu, May 6, 2010 at 9:55 PM, Ishaaq Chandy <ish...@gmail.com> wrote:
> Actually, after I sent that message I found a workaround:
>
> [...]
> Actually, after I sent that message I found a workaround:
>
>
> That login url is a bit long and ugly - which is a shame, ideally I
> would have like to use just http://example.com - which, in theory, at
> least according to Google's docs, should have worked but does not
> because it uses Google's experimental openid discovery mechanism which
> openid4java does not support.
1. Download the the openid-provider example from
> That login url is a bit long and ugly - which is a shame, ideally I
> would have like to use just http://example.com - which, in theory, at
> least according to Google's docs, should have worked but does not
> because it uses Google's experimental openid discovery mechanism which
> openid4java does not support.
http://code.google.com/p/google-app-engine-samples/
2. Deploy it as openid.example.com per
http://code.google.com/appengine/articles/domains.html
Still ugly, but not as ugly as
https://www.google.com/accounts/o8/site-xrds?hd=example.com
I found both solutions so ugly that I just switched to another auth
mechanism besides openid.
j.
Shawn Pearce
Nov 18, 2010, 2:43:38 PM11/18/10
to Ishaaq Chandy, Repo and Gerrit Discussion
On Thu, May 6, 2010 at 11:34, Shawn Pearce <s...@google.com> wrote:
> Ishaaq Chandy <ish...@gmail.com> wrote:
>> Has anyone else seen problems with using Google Apps based openid on
>> Gerrit?
>
> Ishaaq Chandy <ish...@gmail.com> wrote:
>> Has anyone else seen problems with using Google Apps based openid on
>> Gerrit?
>
>> When I try to login with my Google Apps openid url (which is of the
>> form: https://www.google.com/accounts/o8/site-xrds?hd=example.com) I
>> get redirected to Google's openid login/auth process successfully but
>> then when I get redirected to Gerrit my user is not registered. Gerrit
>> is not alone in this, I tested against other openid sites like
>> stackoverflow.com (which does give me an error unlike Gerrit).
>
>> form: https://www.google.com/accounts/o8/site-xrds?hd=example.com) I
>> get redirected to Google's openid login/auth process successfully but
>> then when I get redirected to Gerrit my user is not registered. Gerrit
>> is not alone in this, I tested against other openid sites like
>> stackoverflow.com (which does give me an error unlike Gerrit).
>
> The current work-around is to register a second Google Account that
> matches the email address of your Google Apps account. Its ugly,
> but it works, and is what the @android.com domain users are using.
> matches the email address of your Google Apps account. Its ugly,
> but it works, and is what the @android.com domain users are using.
This has (finally) been resolved. Today Google launched a change to
Google Apps Accounts:
http://googleenterprise.blogspot.com/2010/11/ten-times-more-applications-for-google.html
After transitioning your account, you can use the 'Google Account'
link in the OpenID sign-in dialog that Gerrit shows, rather than
trying to use one of the hacked-up providers that runs on Google
AppEngine.
Shawn Pearce
Nov 18, 2010, 2:47:20 PM11/18/10
to Ishaaq Chandy, Repo and Gerrit Discussion
On Thu, Nov 18, 2010 at 11:43, Shawn Pearce <s...@google.com> wrote:
> This has (finally) been resolved. Today Google launched a change to
> Google Apps Accounts:
>
> http://googleenterprise.blogspot.com/2010/11/ten-times-more-applications-for-google.html
>
> After transitioning your account, you can use the 'Google Account'
> link in the OpenID sign-in dialog that Gerrit shows, rather than
> trying to use one of the hacked-up providers that runs on Google
> AppEngine.
> This has (finally) been resolved. Today Google launched a change to
> Google Apps Accounts:
>
> http://googleenterprise.blogspot.com/2010/11/ten-times-more-applications-for-google.html
>
> After transitioning your account, you can use the 'Google Account'
> link in the OpenID sign-in dialog that Gerrit shows, rather than
> trying to use one of the hacked-up providers that runs on Google
> AppEngine.
I should also tell you that I had to add a special flag to Gerrit to
make this work smoothly for users that are upgrading their Google Apps
accounts, and who already had created a "shadow" consumer Google
Account for use with Gerrit. You'll need to add the following to your
gerrit.config:
[auth]
allowGoogleAccountUpgrade = true
during the transition period. (You can remove it once all users have
transitioned their accounts.)
Reply all
Reply to author
Forward
0 new messages