Geek Answers Handbook

Google OpenId Connect migration: getting openid_id in ASP.NET application

I went through a lot of google documentation and SO Q / A, but no luck. I wonder if someone has successfully used OpenId migration for OpenId Connect, as reported by Google.

This is what we did before:

IAuthenticationResponse response = _openid.GetResponse();
if (response != null) {
   //omitted for brevity       
} else {
   IAuthenticationRequest req = _openid.CreateRequest("https://www.google.com/accounts/o8/id");
   req.AddExtension(new ClaimsRequest
                    {
                        Country = DemandLevel.Request,
                        Email = DemandLevel.Request,
                        Gender = DemandLevel.Require,
                        PostalCode = DemandLevel.Require,
                        TimeZone = DemandLevel.Require
                    });
   req.RedirectToProvider();
}

This was done using a version of DotNetOpenAuth that dates back several years. Since Google has deprecated OpenId authentication, we are trying to upgrade to OpenID Connect. The key question is: can I somehow access the OpenId ID (in the form https://www.google.com/accounts/o8/id?id=xyz ) using the latest version of DotNetOpenAuth or in other ways?

DotNetOpenAuth, , ( ). Javascript, URL ( ):

https://accounts.google.com/o/oauth2/auth?
    scope=openid%20profile%20email
    &openid.realm=http://localhost/palkkac/
    &client_id=//here is the client id I created in google developer console
    &redirect_uri=http://localhost/palkkac/someaspxpagehere
    &response_type=id_token%20token

( Fiddler) , , DotNetOpenAuth, http://localhost/palkkac/. url . URL- realm, .

, id_token ( https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=zyx), :

audience    "client id is here"
email   "mikkark@gmail.com"
expires_in  3597
issued_at   //some numbers here
issued_to   "client id is here"
issuer  "accounts.google.com"
user_id     "here is a sequence of numbers, my id in the OpenID Connect format that is"
verified_email  true

, openid_id, , Google, , . , , - ?

, , - : https://developers.google.com/accounts/docs/OpenID. 2, . 3 openid_id, , .

Google, .. URL- , javascript, Google dev. , , .

: , , . , Javascript Google HTTPS ( , ).

, , , , , , Javascript:

  • (https://stackoverflow.com/questions/22842475/migrating-google-openid-to-openid-connect-openid-id-does-not-match) , , , OpenId2.0. , , .
  • over openid_id , , id_token Google, , DotNetOpenAuth.
  • , , Google openid_id.
+4
1

GoogleAuthentication owin.

app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions
{
    SignInAsAuthenticationType = signAs,
    AuthenticationType = "Google",
    ClientId = "xxx.apps.googleusercontent.com",
    ClientSecret = "xx",
    CallbackPath = PathString.FromUriComponent("/oauth2callback"),
    Provider = new GoogleOAuth2AuthenticationProvider
    {
        OnApplyRedirect = context =>
        {
            context.Response.Redirect(context.RedirectUri + "&openid.realm=https://mydomain.com/"); // DotNetOpenAuth by default add a trailing slash, it must be exactly the same as before
        }
    },
    BackchannelHttpHandler = new MyWebRequestHandler()
}

MyWebRequestHandler:

public class MyWebRequestHandler : WebRequestHandler
    {
        protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
        {
            var httpResponse = await base.SendAsync(request, cancellationToken);
            if (request.RequestUri == new Uri("https://www.googleapis.com/plus/v1/people/me")) return httpResponse;

            var configuration = await OpenIdConnectConfigurationRetriever.GetAsync("https://accounts.google.com/.well-known/openid-configuration", cancellationToken); // read the configuration to get the signing tokens (todo should be cached or hard coded)

            // google is unclear as the openid_id is not in the access_token but in the id_token
            // as the middleware dot not expose the id_token we need to parse it again
            var jwt = httpResponse.Content.ReadAsStringAsync().Result;
            JObject response = JObject.Parse(jwt);
            string idToken = response.Value<string>((object)"id_token"); 

            JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();

            try
            {
                SecurityToken token;
                var claims = tokenHandler.ValidateToken(idToken, new TokenValidationParameters()
                {
                    ValidAudience = "xxx.apps.googleusercontent.com",
                    ValidIssuer = "accounts.google.com",
                    IssuerSigningTokens = configuration.SigningTokens
                }, out token);

                var claim = claims.FindFirst("openid_id");
                // claim.Value will contain the old openid identifier
                if (claim != null) Debug.WriteLine(claim.Value);
            }
            catch (Exception ex)
            {
                Debug.WriteLine(ex.ToString());
            }
            return httpResponse;
        }
    }

, , , , , , https://katanaproject.codeplex.com/workitem/359

+2

More articles:


All Articles