谷歌的OpenID连接迁移:在获取ASP.NET应用程序的openid_id [英] Google OpenId Connect migration: getting the openid_id in ASP.NET app
问题描述
我已经通过大量的谷歌文档和SO Q / A的,但没有运气了。我不知道是否有人还没有成功地使用了的OpenID的OpenID连接迁移由谷歌的建议。
I've gone through plenty of Google documentation and SO Q/A's but with no luck. I wonder if anyone has yet succesfully used the OpenId to OpenId Connect migration as advised by Google.
这就是我们用来做:
IAuthenticationResponse response = _openid.GetResponse();
if (response != null) {
//omitted for brevity
} else {
IAuthenticationRequest req = _openid.CreateRequest("https://www.google.com/accounts/o8/id");
req.AddExtension(new ClaimsRequest
{
Country = DemandLevel.Request,
Email = DemandLevel.Request,
Gender = DemandLevel.Require,
PostalCode = DemandLevel.Require,
TimeZone = DemandLevel.Require
});
req.RedirectToProvider();
}
这是使用一个版本的DotNetOpenAuth可以追溯到几年完成。因为谷歌已经去precated OpenID身份验证,我们试图移动到OpenID的连接。这里的关键问题是:我能以某种方式得到的OpenID识别我的手(中的 https://www.google.com/accounts/o8/id?id=xyz )使用最新版本的DotNetOpenAuth库或通过任何其他方式?
That was done using a version of DotNetOpenAuth that dates back a few years. Because Google has deprecated OpenId authentication we are trying to move over to OpenID Connect. The key question here is: can I somehow get my hands on the OpenId identifier (in the form of https://www.google.com/accounts/o8/id?id=xyz) using the latest version of DotNetOpenAuth library or by any other means?
我已经试过了最新DotNetOpenAuth,我可以得到它的工作,但它给了我一个新的ID(这是预期)。
I have tried the latest DotNetOpenAuth and I can get it to work but it gives me a new Id (this was expected). I have also tried the Javascript way by using this URL (line breaks for readibility):
https://accounts.google.com/o/oauth2/auth?
scope=openid%20profile%20email
&openid.realm=http://localhost/palkkac/
&client_id=//here is the client id I created in google developer console
&redirect_uri=http://localhost/palkkac/someaspxpagehere
&response_type=id_token%20token
我检查(使用招),我们使用旧DotNetOpenAuth code目前发送的境界值,它是的http://本地主机/ palkkac / 。我已经把相同的领域中的URL以上。重定向URL的启动的境界值,但它是不完全一样的。
I checked (using Fiddler) the realm value that we currently send using the old DotNetOpenAuth code and it is http://localhost/palkkac/. I've put the same realm in the url above. The redirect url starts with the realm value but it is not entirely the same.
当我重定向到一个简单的页面解析id_token和解密它(使用 https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=zyx 端点)我得到这样的:
When I redirect to a simple page that parses the id_token and decrypts it (using the https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=zyx endpoint) I get this:
audience "client id is here"
email "mikkark@gmail.com"
expires_in 3597
issued_at //some numbers here
issued_to "client id is here"
issuer "accounts.google.com"
user_id "here is a sequence of numbers, my id in the OpenID Connect format that is"
verified_email true
因此,有没有,你会希望在这里找到,但该消息的整个结构似乎来自谷歌文档在不同领域openid_id的迹象,也没有名为子,例如现场。我不知道如果我实际上使用了错误的端点,参数什么的?
So there is no sign of the openid_id field that you would expect to find here, though the whole structure of the message seems different from the Google docs, there is no field titled sub, for example. I wonder if I'm actually using the wrong endpoint, parameters or something?
我一直在阅读的是迁移指南: https://developers.google.com/accounts/docs/OpenID 。我跳过了步骤2,因为它似乎是一个可选步骤。在步骤3场openid_id讨论,我希望得到作为一个验证的概念最早工作。
What I have been reading is the migration guide: https://developers.google.com/accounts/docs/OpenID. I skipped step 2 because it seemed like an optional step. In step 3 the field openid_id is discussed and I would like to get that to work as a proof-of-concept first.
我们注册了谷歌应用程序,以创建客户端ID等。另外,现在还让众多重定向URL的,以及在谷歌开发者控制台中列出的JavaScript源。让我知道,如果这些力量搞乱系统,我会张贴在这里进行审查。
We registered the app on Google in order to create the client id etc. There are now also numerous allowed redirect url's as well as javascript origins listed in the Google dev console. Let me know if those might mess up the system and I'll post them here for review.
旁注:我们应该是移动我们的应用程序背后严格的防火墙的环境中,我们需要在为了做到这一点在服务器端打开端口。因此,客户端Javascript的解决方案来访问谷歌与HTTPS结合和调整的结果到服务器将是prefered(除非有一些反对这种说话等问题)。
Side note: we are supposed to be moving our app behind a strictly firewalled environment where we would need to open ports in order to do this on the server side. Therefore, a client-side Javascript solution to access Google combined with HTTPS and redirecting the result to the server would be prefered (unless there are other issues that speak against this).
有SO上就同样的问题等资源,尽管所有这些似乎都使用不同的库在服务器端做的工作,并似乎没有人在使用JavaScript来作出的任何尝试:
There are other resources on SO regarding this same issue, although all of these seem to use different libraries on the server side to do the job and nobody seems to have made any attempts at using Javascript:
- 在这里(<$c$c>http://stackoverflow.com/questions/22842475/migrating-google-openid-to-openid-connect-openid-id-does-not-match)我认为这个问题是通过设置境界是相同的老OpenId2.0流程解决。这似乎并不在我的情况下工作。
- 在<一个href=\"http://stackoverflow.com/questions/22481908/migrating-from-google-openid-to-new-oauth-2?rq=1\">here该openid_id场也不见了,但这里的问题更多的是如何申请使用非DotNetOpenAuth其他库从谷歌id_token。
- 和<一个href=\"http://stackoverflow.com/questions/25568187/asp-net-identity-google-account-id-migration-from-openid-to-oauth\">here似乎有越来越谷歌返回openid_id场类似的问题。
- Here (
http://stackoverflow.com/questions/22842475/migrating-google-openid-to-openid-connect-openid-id-does-not-match) I think the problem was resolved by setting the realm to be the same as in the old OpenId2.0 flow. This does not seem to work in my case. - over here the openid_id field is also missing, but the problem here is more about how to request the id_token from Google using libraries other than DotNetOpenAuth.
- and in here there seem to be similar problems getting Google to return the openid_id field.
推荐答案
您可以使用GoogleAuthentication owin中间件。
You can use the GoogleAuthentication owin middleware.
app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions
{
SignInAsAuthenticationType = signAs,
AuthenticationType = "Google",
ClientId = "xxx.apps.googleusercontent.com",
ClientSecret = "xx",
CallbackPath = PathString.FromUriComponent("/oauth2callback"),
Provider = new GoogleOAuth2AuthenticationProvider
{
OnApplyRedirect = context =>
{
context.Response.Redirect(context.RedirectUri + "&openid.realm=https://mydomain.com/"); // DotNetOpenAuth by default add a trailing slash, it must be exactly the same as before
}
},
BackchannelHttpHandler = new MyWebRequestHandler()
}
然后,添加一个新的类名为MyWebRequestHandler:
Then, add a new class called MyWebRequestHandler:
public class MyWebRequestHandler : WebRequestHandler
{
protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
var httpResponse = await base.SendAsync(request, cancellationToken);
if (request.RequestUri == new Uri("https://www.googleapis.com/plus/v1/people/me")) return httpResponse;
var configuration = await OpenIdConnectConfigurationRetriever.GetAsync("https://accounts.google.com/.well-known/openid-configuration", cancellationToken); // read the configuration to get the signing tokens (todo should be cached or hard coded)
// google is unclear as the openid_id is not in the access_token but in the id_token
// as the middleware dot not expose the id_token we need to parse it again
var jwt = httpResponse.Content.ReadAsStringAsync().Result;
JObject response = JObject.Parse(jwt);
string idToken = response.Value<string>((object)"id_token");
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
try
{
SecurityToken token;
var claims = tokenHandler.ValidateToken(idToken, new TokenValidationParameters()
{
ValidAudience = "xxx.apps.googleusercontent.com",
ValidIssuer = "accounts.google.com",
IssuerSigningTokens = configuration.SigningTokens
}, out token);
var claim = claims.FindFirst("openid_id");
// claim.Value will contain the old openid identifier
if (claim != null) Debug.WriteLine(claim.Value);
}
catch (Exception ex)
{
Debug.WriteLine(ex.ToString());
}
return httpResponse;
}
}
如果你像我一样发现这不是真的简单,请upvoting这个问题 HTTPS帮助:/ /katanaproject.$c$cplex.com/workitem/359
If like me you found this not really straightforward, please help by upvoting this issue https://katanaproject.codeplex.com/workitem/359
这篇关于谷歌的OpenID连接迁移:在获取ASP.NET应用程序的openid_id的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
