发表新帖
发表新帖

OpenID Connect delegation with Google now that they are deprecating their OpenID2 provider?

后端 未结
关注
3 1711
醉酒成梦
醉酒成梦 2020-12-14 15:22

For years I have used OpenID delegation to log in to Stack Overflow (among other sites) using my own URI as OpenID but having Google handle the authentication. I use the te

相关标签:
3条回答
  • 甜味超标
    2020-12-14 15:54

    Switching your OpenID provider from Google to Yahoo! on your site might work for you, until Yahoo! stops its OpenID 2.0 feature.

    However, if you are OK for Nat's 1st suggestion, it would be more stable way for longer time.

    0 讨论(0)
  • 时光取名叫无心
    2020-12-14 16:03

    Assuming that you want to use your own domain as the user supplied login identifier --

    1. Go to https://stackoverflow.com/users/login-add?returnUrl=%2Fusers%2Fcurrent and Add a login using Google. This will add Google OpenID Connect identifier to your account.
    2. Host OpenID Connect discovery document at your domain (see http://openid.net/specs/openid-connect-discovery-1_0.html#URLSyntax for details.)
    3. Wait till StackOverflow start supporting OpenID Connect discovery
    4. Use http://tupelo-schneck.org/robert as the user identifier

    In addition, if StackOverflow supports OpenID Connect Migration 1.0, and assuming that Google returns your custom domain claimed_id in the Migration response, then:

    1. Host the JSON document as described in http://openid.net/specs/openid-connect-migration-1_0.html#VerifyOPAuthority in your domain.

    would smooth your way.

    0 讨论(0)
  • 栀梦
    2020-12-14 16:11

    OpenID Connect only supports Discovery that is meant to find your Provider based on some hint you give it (e-mail, account, URL, domain etc.); it won't give you a persistent identifier for which you can delegate authentication to a configurable Provider of your choice.

    So if you only want to use a custom URI to find your provider, you can use the approach that Nat gave (except for the last bit that Google does not and can not do and assuming that SO supports Discovery).

    But if you want true delegation, so that RPs can use an identifier returned by the OP that is persistent over different OPs that you delegate to, then you can't.

    For StackOverflow you probably don't need either one of those: SO uses its own primary identifier/account and you can link several accounts to that, including Google's. Only if SO would have used your custom URI as its primary identifier you would have had a problem. In this case there's no problem and you can:

    1. use the Google login button, or
    2. type your custom URI in the OpenID URL entry box, assuming both you and have implemented Discovery

    But both 1. and 2. really yield the same result: they find out that Google is where you want to authenticate.

    0 讨论(0)
 看不清?
提交回复
热议问题