How to disable discovery and specify OpenID server for omniauth-openid

Question

I am trying to do OmniAuth OpenID with Google Apps in Ruby on Rails. I know it should work out-of-the-box if I specify ":identifier => 'https://www.google.com/accounts/o8/site-xrds?hd=example.com'" where example.com is the domain that my targeted users come from.

The user can get redirected to Google when accessing /auth/google without a problem, and this openid.identity can be returned from Google:

... &openid.identity=http://example.com/openid?id=xxxxxxxxxxxxxxxxxxxxxxx ...

However, the example.com I am working with does not have the correct "rel='openid2.provider'" <link /> tags set up at http://example.com/, therefore the discovery fails when omniauth-openid tries to check with Google again.

Is there a quick and clean way to work around the default discovery behavior so that I can define https://www.google.com/a/example.com/o8/ud?be=o8 as the server directly without performing the automatic discovery?

Thanks!

Answer 1

I think omniauth-openid uses ruby-openid. If so, you should be able to get it work easily:

gem install ruby-openid-apps-discovery

Then throw in somewhere before making the request

require 'gapps_openid'

Google Apps has a slightly different discovery protocol, which is what that gem provides.

Answer 2

Before using the gem that Steve recommended, I came up with a workaround to make the entire discovery process happen locally only, which I find might be useful to some people. If you only accept users from a single Google Apps domain, you might want to:

1. Add a line like 127.0.0.1 example.com in your /etc/hosts.

2. set up a lightweight HTTP server like nginx, create a file called openid (do not append .html), and add your <link rel="openid2.provider" ... > tag there.

This is slightly faster than using ruby-openid-apps-discovery since it saves your application from sending some requests to an external https server.