谷歌的OpenID连接：供给＆QUOT当收到一个500错误; MAX_AGE＆QUOT;参数的认证请求 [英] Google OpenID Connect: Receiving a 500 error when supplying the "max_age" parameter to an authentication request

问题描述

根据需要由谷歌，我们试图从谷歌的previous OpenID验证流向新的OpenID连接实现完成我们的迁移。一切都已经相对比较简单，直到我们尝试使用 MAX_AGE 参数（如的 OpenID的连接核心规格），其作用是代替OpenID的佩普扩展参数： max_auth_age 。

直供 MAX_AGE 参数不破的认证请求向右走，但与谷歌只有在用户成功重新验证自己;之后，谷歌返回500错误：

  
  

这是一个错误。

  
  
  

有一个错误。请稍后再试。这就是我们所知道的。

弃参数可避免出现500错误，但是当我们进入我们网站的某些区域前，需要重新认证不能解决问题，看到。

认证请求的URL似乎是正确构造和有效。再次，它没有MAX_AGE参数正常工作。 <一href=\"https://accounts.google.com/o/oauth2/auth?redirect_uri=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground&response_type=$c$c&client_id=407408718192.apps.googleusercontent.com&scope=profile&approval_prompt=force&access_type=offline&max_age=0\"相对=nofollow>请求示例MAX_AGE = 0 。

解决方案

截至本周，谷歌接受了 MAX_AGE 参数，并且会返回一个 auth_time 要求在ID令牌时 MAX_AGE 传递。

不过，无论 MAX_TIME 参数的值，用户将不会提示根据自己的会话时重新验证，因为这不是一个模式谷歌支持。相反，用户被要求，只有当它认为有必要（例如，用户从一个新的位置访问他们的帐户）重新进行身份验证。

如果您需要重新验证用户在自己的网站，我们鼓励你通过另一种方式来做到这一点。

As required by Google, we are attempting to finish our migration from Google's previous OpenID Authentication flow to the new OpenID Connect implementation. Everything has been relatively straightforward up until we attempted to use the max_age parameter (as defined in the openid-connect-core spec), which serves to replace the OpenID pape extension parameter: max_auth_age.

Supplying the max_age parameter doesn't break the authentication request right away, but only after the user successfully re-authenticates himself with Google; after which Google returns a 500 error:

500. That’s an error.

There was an error. Please try again later. That’s all we know.

Discarding the parameter averts the 500 error, but does not fix the problem, seeing as we require re-authentication before entry to certain areas of our sites.

The Authentication request URL appears to be properly constructed and valid. Again, it works fine without the max_age parameter. Example request with max_age=0.

解决方案

As of this week, Google accepts the max_age parameter, and will return an auth_time claim in the ID Token when max_age is passed.

However, regardless of the value of max_time parameter, users won't be prompted to reauthenticate based on their session time, as that is not a pattern Google supports. Rather, users are asked to reauthenticate only when it is deemed necessary (e.g. the user is accessing their account from a new location).

If you need to reauthenticate users on your own site, you are encouraged to do so via another means.

这篇关于谷歌的OpenID连接：供给＆QUOT当收到一个500错误; MAX_AGE＆QUOT;参数的认证请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！