Issue using DotNetOpenId with Google Apps

0
votes

I am in a critical situation as we have to integrate Google Apps support to our application, which is in .Net 2.0 framework. So for this I am using DotNetOpenId v2.5.7. Earlier in order to achieve this we created a separate application in framework 4.0 using DotNetOpenAuth v3.4.6 that would do the authentication with Google Apps and redirect the data back with all information. But that process had security loop holes. So now we are bound to use DotNetOpenId as our application cannot be migrated to higher framework.

The main issue is when using it with Google Apps. It works fine for Gmail accounts that has its OpenId Endpoint as https://www.google.com/accounts/o8/ud. However when OpenId Endpoint is something like this https://www.google.com/a/example.com/o8/ud?be=o8 it gives me an assertion error. The application redirects the user correctly to the Google Apps login page. But when it comes back with data the Authentication Status is Failed and following is the exception in it:

Message: The OpenId Provider issued an assertion for an Identifier whose discovery information did not match.

Assertion endpoint info: 
ClaimedIdentifier: http://example.com/openid?id=11......010 
ProviderLocalIdentifier: http://example.com/openid?id=11......010 
ProviderEndpoint: https://www.google.com/a/example.com/o8/ud?be=o8 
OpenID version: 2.0 
Service Type URIs: (unavailable) 

Discovered endpoint info: 
{ClaimedIdentifier: http://specs.openid.net/auth/2.0/identifier_select 
ProviderLocalIdentifier: http://specs.openid.net/auth/2.0/identifier_select 
ProviderEndpoint: https://www.google.com/a/example.com/o8/ud?be=o8 
OpenID version: 2.0 
Service Type URIs: http://specs.openid.net/auth/2.0/server, }

I have placed an XRDS file which gets download at this location http://example.com/openid which has data as follows 

<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
    <XRD>
        <Service priority="0">
            <Type>http://specs.openid.net/auth/2.0/server</Type>
            <URI>https://www.google.com/a/example.com/o8/ud?be=o8</URI>
        </Service>
        <Service priority="10">
            <Type>http://specs.openid.net/auth/2.0/signon</Type>
            <URI>https://www.google.com/a/example.com/o8/ud?be=o8</URI>
        </Service>
    </XRD>
</xrds:XRDS>

But this didn’t help either.

I also placed a file at location http://example.com/.well-known/host-meta with this content:

Link: <https://www.google.com/accounts/o8/site-xrds?hd=example.com>; rel="describedby http://reltype.google.com/openid/xrd-op"; type="application/xrds+xml"

Please tell me what else I need to do. I have been browsing forums and using Google since days to resolve this issue but no progress.

1
.netopeniddotnetopenauthassertion

1 Answers

0
votes

You are correct in that DotNetOpenId v2.x targets .NET 2.0. It cannot login users via their Google Apps OpenIDs because Google Apps do not follow the OpenID protocol, but rather Google's own variant of it.

DotNetOpenAuth v3.x is pluggable in a way that allows Google Apps to work by activating support for their variant of OpenID.

I think what will help you most is knowing that DotNetOpenAuth does not require .NET 4.0. Simply install .NET 3.5, which is a low-impact in-place update for .NET 2.0. Your web sites should continue functioning normally, but DotNetOpenAuth v3.x will work on it.