谷歌的OpenID连接:供给&QUOT当收到一个500错误; MAX_AGE"参数的认证请求 [英] Google OpenID Connect: Receiving a 500 error when supplying the "max_age" parameter to an authentication request
问题描述
根据需要由谷歌,我们试图从谷歌的previous OpenID验证流向新的OpenID连接实现完成我们的迁移。一切都已经相对比较简单,直到我们尝试使用 MAX_AGE
参数(如的 OpenID的连接核心规格),其作用是代替OpenID的佩普扩展参数: max_auth_age
。
直供 MAX_AGE
参数不破的认证请求向右走,但与谷歌只有在用户成功重新验证自己;之后,谷歌返回500错误:
- 这是一个错误。
有一个错误。请稍后再试。这就是我们所知道的。
块引用>弃参数可避免出现500错误,但是当我们进入我们网站的某些区域前,需要重新认证不能解决问题,看到。
认证请求的URL似乎是正确构造和有效。再次,它没有MAX_AGE参数正常工作。 <一href=\"https://accounts.google.com/o/oauth2/auth?redirect_uri=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground&response_type=$c$c&client_id=407408718192.apps.googleusercontent.com&scope=profile&approval_prompt=force&access_type=offline&max_age=0\"相对=nofollow>请求示例MAX_AGE = 0 。
解决方案截至本周,谷歌接受了
MAX_AGE
参数,并且会返回一个auth_time
要求在ID令牌时MAX_AGE
传递。不过,无论
MAX_TIME
参数的值,用户将不会提示根据自己的会话时重新验证,因为这不是一个模式谷歌支持。相反,用户被要求,只有当它认为有必要(例如,用户从一个新的位置访问他们的帐户)重新进行身份验证。如果您需要重新验证用户在自己的网站,我们鼓励你通过另一种方式来做到这一点。
As required by Google, we are attempting to finish our migration from Google's previous OpenID Authentication flow to the new OpenID Connect implementation. Everything has been relatively straightforward up until we attempted to use the
max_age
parameter (as defined in the openid-connect-core spec), which serves to replace the OpenID pape extension parameter:max_auth_age
.Supplying the
max_age
parameter doesn't break the authentication request right away, but only after the user successfully re-authenticates himself with Google; after which Google returns a 500 error:
- That’s an error.
There was an error. Please try again later. That’s all we know.
Discarding the parameter averts the 500 error, but does not fix the problem, seeing as we require re-authentication before entry to certain areas of our sites.
The Authentication request URL appears to be properly constructed and valid. Again, it works fine without the max_age parameter. Example request with max_age=0.
解决方案As of this week, Google accepts the
max_age
parameter, and will return anauth_time
claim in the ID Token whenmax_age
is passed.However, regardless of the value of
max_time
parameter, users won't be prompted to reauthenticate based on their session time, as that is not a pattern Google supports. Rather, users are asked to reauthenticate only when it is deemed necessary (e.g. the user is accessing their account from a new location).If you need to reauthenticate users on your own site, you are encouraged to do so via another means.
这篇关于谷歌的OpenID连接:供给&QUOT当收到一个500错误; MAX_AGE&QUOT;参数的认证请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!