Geek Answers Handbook

Develop: Transfer Google Open ID to Google OAuth

Does anyone know how to do this? I am basically trying to replace the "Connect With Google" strategy from OpenID to OAuth. The challenge is to identify the old user (a user with a public Google ID) when the user signs up according to the new OAuth scheme.

I have a working implementation that relies on an email address as the primary key, as the public identifier strategy captures this. The problem is that I do not want to request email in the OAuth stream. The ideal value is just a Google user ID, but the Open ID strategy does not seem to reflect this.

So, I have public IDs like https://www.google.com/accounts/o8/id?id=AfSCwGQ4PUaidXSQddJugXKLqU5V0MrXFhJM6UHybPw and trying to figure out if I can get a Google ID from it.

UPDATE: I explained how I ended this migration - http://softwareas.com/migrating-user-accounts-from-google-openid-to-google-oauth-to-google-plus

+4
source share
2 answers

Google uses directional identifiers for OpenID, which are unique to each relying party and are explicitly intended to hide any comparable identifier for the user. So the short answer is: there is no way to get the Google ID that matches this Google OpenID.

However, one option would be to use the Google OpenID + OAuth Hybrid thread . This allows you to retrieve the OAuth token as part of a regular OpenID stream, which you can then use to get the user ID from the OAuth2 Login API, which you can then associate with an existing account. After you have done this for all of your existing users, go directly to using OAuth2 login.

The trick, of course, with this approach will force all your users to log in again so you can send them through a new thread. This will be related to how much time you are ready to wait to transfer accounts, and whether you want to extend existing users by sending them an email and asking them to log in again (similar to a forced password reset).

+3
source

We do not have a strategy ready today that allows the user to see another approval page.

However, instead of trying to use a hybrid OAuth1-based stream and add all this legacy code to this server, I would suggest that you simply map the email address and switch to OAuth2 login. I assume that you are like most sites that end up asking for an email address because they usually want it to recover their account. Just make sure you get the email address from OpenId as one of the signed options.

Then use the userinfo.email and OAuth2 area https://developers.google.com/accounts/docs/OAuth2Login , and you will be able to port with less development costs.

In addition, we add support for OpenIDConnect and support the login_hint parameter so that you add & login_hint=bob@gmail.com to the authorization URL and it will manage the approval of the correct account. This is not documented right now, but it may be useful for you to try. A custom browser can go to Google with multiple accounts and you want to try and get the right one. Always check the email you receive from the OAuth2 stream to make sure it matches, as this is just a hint.

Users will still have to re-authorize for OAuth2, but we have plans to skip this re-authorization in the future. The main thing is to plan the use of OAuth2, and we hope to complete a smooth migration soon, and you will find yourself on a supported protocol.

+4
source

More articles:


All Articles