google apps account as openid
TRANSCRIPT
Google Account as OpenID
It’s a feature introduced long time ago Everyone can paste
https://www.google.com/accounts/o8/idand login as your OpenID– It will be discovered by RP as an server endpoint,
trigger an id_select login process– You will be issued an OpenID as
https://www.google.com/accounts/o8/id?id=AItOwk...nqJOSI
Google Account as OpenID
<?xml version="1.0" encoding="UTF-8"?><xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> <XRD> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/server</Type> <Type>http://openid.net/srv/ax/1.0</Type> <Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type> <Type>http://specs.openid.net/extensions/ui/1.0/icon</Type> <Type>http://specs.openid.net/extensions/pape/1.0</Type> <URI>https://www.google.com/accounts/o8/ud</URI> </Service> </XRD>
</xrds:XRDS>
“id_select” process?
New* in OpenID 2.0– Which is introduced back in 2007
Indicate that user wishes to use a specific OpenID IdP, however he didn’t know/say his own OpenID
Therefore the “id_select” login process asks the OpenID IdP to select an ID for the user.
The other login process being “signon” process
OpenID Discovery for Apps
Use this URLhttps://www.google.com/accounts/o8/site-xrds?hd=example.com
for server endpoint discovery– You will be issued an OpenID as
http://example.com/openid?id=1234567890– Discovery info is hosted on given URL in order for
RP to verify that Google is not lying
User Discovery Information
Described extensively in docs from Google– http://sites.google.com/site/oauthgoog/fedloginint
erp/openiddiscovery– It even asked XRDS to be signed!
I made a PHP script for that– http://github.com/timdream/google-apps-openid– Works, but XRDS generated is not signed– Hosting your own XRDS defeat the purpose of Go
ogle Apps
User Discovery Information
<?xml version="1.0" encoding="UTF-8"?><xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> <XRD> <CanonicalID>http://example.com/openid?id=1234567890</CanonicalID> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/srv/ax/1.0</Type> <Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type> <Type>http://specs.openid.net/extensions/ui/1.0/icon</Type> <Type>http://specs.openid.net/extensions/pape/1.0</Type> <URI>https://www.google.com/a/example.com/o8/ud?be=o8</URI> </Service> </XRD>
</xrds:XRDS>
Google’s Discovery Proposal for Hosted Domains
Something involved a special file located at “/.well-known/host-meta”
Won’t work on current OpenID ecosystems, unless you patch your RP library with Google-supplied extension.
– http://code.google.com/googleapps/marketplace/sso.html#gs
Not sure how it solves “Google might be lying”
On User Interface
Trigger “id_select” process whenever possible– URL means little to average users– Enter Username/Password in different steps see
ms strange Possible UI
– “Enter your E-mail to continue”– Buttons
Be ware of NASCAR effect
Q&A