Skip to content
This repository has been archived by the owner on Mar 8, 2021. It is now read-only.

Google OpenID deprecation #117

Closed
emlyn opened this issue Aug 11, 2014 · 9 comments
Closed

Google OpenID deprecation #117

emlyn opened this issue Aug 11, 2014 · 9 comments
Milestone

Comments

@emlyn
Copy link

emlyn commented Aug 11, 2014

Is the OpenID workflow affected by Google's deprecation of OpenID 2.0?

I.e. will logging in with a Google account stop working when Google shuts down the OpenID 2.0 service (on April 20th next year according to the timeline)?

If not, are there any existing workflows that will work with Google after this time?

@kenrestivo
Copy link
Contributor

I have run into this problem too. I'm currently slogging through Google's docs and sample code, and will try using friend-oauth2 with it. Might get lucky, who knows.

@kenrestivo
Copy link
Contributor

Update: I figured it out (took about 8 hours). It seems to work well.

I started from https://github.com/ddellacosta/friend-oauth2-examples/blob/master/src/friend_oauth2_examples/google_handler.clj, and then created an :access-token-parsefn that decodes the json, pulls out the :id_token, jwt unencodes it (example here https://github.com/kenrestivo/utilza/blob/master/src/utilza/jwt.clj), and returns that map. And there you have the email address and anything else you requested. You can read that in your credential function (I needed to compare the email to what was in the db).

I'll probably put up an example or add it to friend-oauth2-examples just to save people grief.

@kenrestivo
Copy link
Contributor

And here is a patch that seems to work so far:
kenrestivo/friend-oauth2-examples@78f6f78

Not very heavily tested, but it works without requiring any changes to friend-oauth2 anyway.

Apologies, the patch is complected with a bunch of debug stuff that made working on this a bit more pleasant.

@emlyn
Copy link
Author

emlyn commented Sep 18, 2014

Thanks for this @kenrestivo, I haven't got time to look into it at the moment, but when I get around to it this will be really useful.

@cemerick
Copy link
Owner

To answer the original question, yes, the discontinuation of Google's OpenId 2.0 endpoint is a pretty big blow to that mechanism in general. There are plenty of other identity providers that support OpenId 2.0, so the existing workflow will remain where it is.

Officially supporting some kind of google login in friend would be great, but I don't have the bandwidth to work on it now. I'd love to see an easy-to-use solution pop up in the community (probably based on friend-oauth2 as @kenrestivo's prototype seems to). I'll be happy to recommend it if one should emerge.

@jwhitlark
Copy link

I didn't want to pull in any other dependencies, so I wrote a handler (just for google oath2 + JWT). A stripped example is available here. It requires the commons-codex that is already needed by friend-oauth2, but nothing else.

Note that it seems rare at this point for libraries that handle JWT tokens to actually verify the token matches its signature. The gist above does so.

@kolov
Copy link
Contributor

kolov commented Apr 16, 2015

I tried ddellacosta/friend-oauth2 and it worked fine. It only goes so far to get an access token (different every time) and leaves the user with the task to fetch the real identity. I wrote a little demo which retrieves the identity in the credential-fn, though I think it would be better to incorporate this it in the workflow.

@corey
Copy link

corey commented Sep 4, 2015

Since we need this in multiple projects, we thought that it might be useful to have it packaged up as a ready-to-go workflow. We used Google's own libraries to verify the tokens which automatically handles fetching and caching the certs.

We've released it at Mayvenn/friend-google-openid so that others won't have to spend hours implementing.

@cemerick
Copy link
Owner

cemerick commented Jan 5, 2017

Thanks @corey. Sorry to not recognize your work earlier, but it's important.

Given #45 (comment), I'm considering this issue closed as of 0.3.0.

@cemerick cemerick closed this as completed Jan 5, 2017
@cemerick cemerick added this to the 0.3.0 milestone Jan 5, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants