Download - Google Apps Account as OpenID
![Page 2: Google Apps Account as OpenID](https://reader036.vdocuments.site/reader036/viewer/2022082416/55513e29b4c905f2288b4708/html5/thumbnails/2.jpg)
Google Account as OpenID
It’s a feature introduced long time ago Everyone can paste
https://www.google.com/accounts/o8/idand login as your OpenID– It will be discovered by RP as an server endpoint,
trigger an id_select login process– You will be issued an OpenID as
https://www.google.com/accounts/o8/id?id=AItOwk...nqJOSI
![Page 3: Google Apps Account as OpenID](https://reader036.vdocuments.site/reader036/viewer/2022082416/55513e29b4c905f2288b4708/html5/thumbnails/3.jpg)
Google Account as OpenID
<?xml version="1.0" encoding="UTF-8"?><xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> <XRD> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/server</Type> <Type>http://openid.net/srv/ax/1.0</Type> <Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type> <Type>http://specs.openid.net/extensions/ui/1.0/icon</Type> <Type>http://specs.openid.net/extensions/pape/1.0</Type> <URI>https://www.google.com/accounts/o8/ud</URI> </Service> </XRD>
</xrds:XRDS>
![Page 4: Google Apps Account as OpenID](https://reader036.vdocuments.site/reader036/viewer/2022082416/55513e29b4c905f2288b4708/html5/thumbnails/4.jpg)
“id_select” process?
New* in OpenID 2.0– Which is introduced back in 2007
Indicate that user wishes to use a specific OpenID IdP, however he didn’t know/say his own OpenID
Therefore the “id_select” login process asks the OpenID IdP to select an ID for the user.
The other login process being “signon” process
![Page 5: Google Apps Account as OpenID](https://reader036.vdocuments.site/reader036/viewer/2022082416/55513e29b4c905f2288b4708/html5/thumbnails/5.jpg)
OpenID Discovery for Apps
Use this URLhttps://www.google.com/accounts/o8/site-xrds?hd=example.com
for server endpoint discovery– You will be issued an OpenID as
http://example.com/openid?id=1234567890– Discovery info is hosted on given URL in order for
RP to verify that Google is not lying
![Page 6: Google Apps Account as OpenID](https://reader036.vdocuments.site/reader036/viewer/2022082416/55513e29b4c905f2288b4708/html5/thumbnails/6.jpg)
User Discovery Information
Described extensively in docs from Google– http://sites.google.com/site/oauthgoog/fedloginint
erp/openiddiscovery– It even asked XRDS to be signed!
I made a PHP script for that– http://github.com/timdream/google-apps-openid– Works, but XRDS generated is not signed– Hosting your own XRDS defeat the purpose of Go
ogle Apps
![Page 7: Google Apps Account as OpenID](https://reader036.vdocuments.site/reader036/viewer/2022082416/55513e29b4c905f2288b4708/html5/thumbnails/7.jpg)
User Discovery Information
<?xml version="1.0" encoding="UTF-8"?><xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> <XRD> <CanonicalID>http://example.com/openid?id=1234567890</CanonicalID> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/srv/ax/1.0</Type> <Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type> <Type>http://specs.openid.net/extensions/ui/1.0/icon</Type> <Type>http://specs.openid.net/extensions/pape/1.0</Type> <URI>https://www.google.com/a/example.com/o8/ud?be=o8</URI> </Service> </XRD>
</xrds:XRDS>
![Page 8: Google Apps Account as OpenID](https://reader036.vdocuments.site/reader036/viewer/2022082416/55513e29b4c905f2288b4708/html5/thumbnails/8.jpg)
Google’s Discovery Proposal for Hosted Domains
Something involved a special file located at “/.well-known/host-meta”
Won’t work on current OpenID ecosystems, unless you patch your RP library with Google-supplied extension.
– http://code.google.com/googleapps/marketplace/sso.html#gs
Not sure how it solves “Google might be lying”
![Page 9: Google Apps Account as OpenID](https://reader036.vdocuments.site/reader036/viewer/2022082416/55513e29b4c905f2288b4708/html5/thumbnails/9.jpg)
On User Interface
Trigger “id_select” process whenever possible– URL means little to average users– Enter Username/Password in different steps see
ms strange Possible UI
– “Enter your E-mail to continue”– Buttons
Be ware of NASCAR effect
![Page 10: Google Apps Account as OpenID](https://reader036.vdocuments.site/reader036/viewer/2022082416/55513e29b4c905f2288b4708/html5/thumbnails/10.jpg)
![Page 12: Google Apps Account as OpenID](https://reader036.vdocuments.site/reader036/viewer/2022082416/55513e29b4c905f2288b4708/html5/thumbnails/12.jpg)
Q&A