-
Notifications
You must be signed in to change notification settings - Fork 123
Google OpenID deprecation #117
Comments
I have run into this problem too. I'm currently slogging through Google's docs and sample code, and will try using friend-oauth2 with it. Might get lucky, who knows. |
Update: I figured it out (took about 8 hours). It seems to work well. I started from https://github.com/ddellacosta/friend-oauth2-examples/blob/master/src/friend_oauth2_examples/google_handler.clj, and then created an :access-token-parsefn that decodes the json, pulls out the :id_token, jwt unencodes it (example here https://github.com/kenrestivo/utilza/blob/master/src/utilza/jwt.clj), and returns that map. And there you have the email address and anything else you requested. You can read that in your credential function (I needed to compare the email to what was in the db). I'll probably put up an example or add it to friend-oauth2-examples just to save people grief. |
And here is a patch that seems to work so far: Not very heavily tested, but it works without requiring any changes to friend-oauth2 anyway. Apologies, the patch is complected with a bunch of debug stuff that made working on this a bit more pleasant. |
Thanks for this @kenrestivo, I haven't got time to look into it at the moment, but when I get around to it this will be really useful. |
To answer the original question, yes, the discontinuation of Google's OpenId 2.0 endpoint is a pretty big blow to that mechanism in general. There are plenty of other identity providers that support OpenId 2.0, so the existing workflow will remain where it is. Officially supporting some kind of google login in friend would be great, but I don't have the bandwidth to work on it now. I'd love to see an easy-to-use solution pop up in the community (probably based on friend-oauth2 as @kenrestivo's prototype seems to). I'll be happy to recommend it if one should emerge. |
I didn't want to pull in any other dependencies, so I wrote a handler (just for google oath2 + JWT). A stripped example is available here. It requires the commons-codex that is already needed by friend-oauth2, but nothing else. Note that it seems rare at this point for libraries that handle JWT tokens to actually verify the token matches its signature. The gist above does so. |
I tried ddellacosta/friend-oauth2 and it worked fine. It only goes so far to get an access token (different every time) and leaves the user with the task to fetch the real identity. I wrote a little demo which retrieves the identity in the credential-fn, though I think it would be better to incorporate this it in the workflow. |
Since we need this in multiple projects, we thought that it might be useful to have it packaged up as a ready-to-go workflow. We used Google's own libraries to verify the tokens which automatically handles fetching and caching the certs. We've released it at Mayvenn/friend-google-openid so that others won't have to spend hours implementing. |
Thanks @corey. Sorry to not recognize your work earlier, but it's important. Given #45 (comment), I'm considering this issue closed as of 0.3.0. |
Is the OpenID workflow affected by Google's deprecation of OpenID 2.0?
I.e. will logging in with a Google account stop working when Google shuts down the OpenID 2.0 service (on April 20th next year according to the timeline)?
If not, are there any existing workflows that will work with Google after this time?
The text was updated successfully, but these errors were encountered: