Google Apps domain as OpenID provider
-
05-07-2019 - |
Question
How can I make my Google Apps domain to be OpenID provider. Is there any documentation, tutorial, working example something?
How to authenticate users in my own application using Google Apps domain authentication (I mean without OpenID). I've heard that it's something about gdata api but I don't know where to start. Are there any useful tutorials howtos or working examples?
I would like to know about free or open source solutions.
Solution
You don't have to do anything to make your Google Apps domain an openid provider. BUT, Google's special OpenID service for Apps for Domains requires OpenID relying parties to implement a special (proprietary) discovery mechanism and most RPs don't [yet]. So, if you're testing against that, it won't work.
One way to test is go to an OpenID RP that uses RPXNow. RPX is one of those RPs that do accept Google's new discovery mechanism. jyte.com for example. Try logging in there.
OTHER TIPS
Regardin question number 1, i've been working on this for the past few days now.
Check it out here: How do you delegate your OpenId to Google Apps
It appears Google doesn't allow delegation, so you can't just put the meta information in the header of your document. I believe you have to create a file called yourdomain.com/.well-known/host-meta
that points to the XRDS file on the Google server. It's explained better on the discovery API page. Sorry, that's all jargon, but I don't know how otherwise to explain it.
For Google federated OpenID testing try: http://www.puffypoodles.com/
The delegation issue is better in the Google group for the OpenID federated login API.
Regarding question number 2, the federated login API provides OAuth goodness, so you can pull in user info and use auth tokens etc. Check the federated login API.
Hope that helps.
Their OpenID Federated Login Service looks like the place to start. It's based on OpenID and allows you to have users sign-in to your site using their Google Apps ID. It looks like it's not supported with Google Apps Standard edition.
http://code.google.com/apis/apps/sso/openid_reference_implementation.html
There is also the Single Sign-On framework that doesn't use OpenID which may be the answer to #2.
http://code.google.com/apis/apps/open_source_projects.html#sso
Lots of people posted about OpenID, so I'll answer your second question.
ClientLogin is the API you're after.
Note that the link above is from the provisioning API doc, but it is not dependent on access to provisioning API, it's just where this info lives now.
Lots of examples in different languages there.
Caveats:
- no single sign-on for this
- Google will dislike you (they are trying to kill ClientLogin)
- you will get occasional Captcha failures and will need to deal with those