Clever Geek Handbook

Google is updating their implementation of OpenID Connect to be fully compliant, break anything for me?

Google has updated its OpenID Connect endpoints in full spec as part of the OpenID Certification . I rely on OpenID Connect to sign my users on Google. Do I need to do something as a relying party to avoid disruption due to these changes?

+3


source to share


2 answers


It depends on how you are using OpenID Connect with Google. If you do dynamic discovery by fetching https://accounts.google.com/.well-known/openid-configuration as recommended by the docs, then your servers' interaction with Google will change , but you will only be affected if your implementation will not be able to handle newer, more compliant answers.

On the other hand, if you've hard-coded the various endpoints directly (i.e. auth and token endpoints), then you are isolated from these changes, but you should consider moving to the new endpoints.

Major changes to the new endpoints include:

  • Token Id (requirement iss

    ) changes from accounts.google.com

    to https://accounts.google.com

    (during peroid transfer, you must accept either value)
  • If yours response_type

    includes id_token

    , you must include nonce

    or your requests will be a hard mistake.


If you are using the OpenID Connect specification library, in theory everything should work as before.

To avoid potential issues during the migration period (or if your site crashes suddenly), you can program the following URL to get the previous discovery document: https://google.com/accounts/o8/well-known-openid-configuration -old.json (or use values โ€‹โ€‹internally to hard-code auth and token endpoints). As this document points to older versions of endpoints, you will get the old behavior. You can then test your products with the latest endpoints (as shown in the current discovery document ) at your leisure.

To compare the differences or view the full new and old, see this sense .

+4


source


Well I guess that's why when I login to https://myapps.developer.ubuntu.com/ I have the following message "OpenID error with disabled account"

I noticed the following message on the Google developer website: "Important: OpenID 2.0 is no longer supported. If your application uses OpenID 2.0, you must migrate your application by the April 20, 2015 shutdown date as shown in the migration schedule."



So my question is, is it Ubuntu that should keep this stuff up to date on their servers?

0


source






More articles:


All Articles