Google allows users to log in to websites using their Google account as an OpenID. When a user enters their Google account URL, it triggers an "id_select" login process where Google issues the user a specific OpenID. Websites can discover a user's OpenID information by accessing an XRDS file hosted on Google's servers. Google has also proposed hosting OpenID discovery files within a website's own domain to simplify the single sign-on process, but this has not been widely adopted. The user interface for OpenID logins can be improved to avoid confusion, such as prompting for an email address instead of an OpenID URL.

1. Google Apps Account as OpenID
Timothy Chien
http://blog.timc.idv.tw/
timdream@gmail.com
2010-10-31

2. Google Account as OpenID
 It’s a feature introduced long time ago
 Everyone can paste
https://www.google.com/accounts/o8/id
and login as your OpenID
– It will be discovered by RP as an server endpoint,
trigger an id_select login process
– You will be issued an OpenID as
https://www.google.com/accounts/o8/id?
id=AItOwk...nqJOSI

3. Google Account as OpenID
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/server</Type>
<Type>http://openid.net/srv/ax/1.0</Type>
<Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type>
<Type>http://specs.openid.net/extensions/ui/1.0/icon</Type>
<Type>http://specs.openid.net/extensions/pape/1.0</Type>
<URI>https://www.google.com/accounts/o8/ud</URI>
</Service>
</XRD>
</xrds:XRDS>

4. “id_select” process?
 New* in OpenID 2.0
– Which is introduced back in 2007
 Indicate that user wishes to use a specific OpenID
IdP, however he didn’t know/say his own OpenID
 Therefore the “id_select” login process asks the
OpenID IdP to select an ID for the user.
 The other login process being “signon” process

5. OpenID Discovery for Apps
 Use this URL
https://www.google.com/accounts/o8/site-xrds?hd=
for server endpoint discovery
– You will be issued an OpenID as
http://example.com/openid?id=1234567890
– Discovery info is hosted on given URL in order for
RP to verify that Google is not lying

6. User Discovery Information
 Described extensively in docs from Google
– http://sites.google.com/site/oauthgoog/fedloginint
erp/openiddiscovery
– It even asked XRDS to be signed!
 I made a PHP script for that
– http://github.com/timdream/google-apps-openid
– Works, but XRDS generated is not signed
– Hosting your own XRDS defeat the purpose of
Google Apps

7. User Discovery Information
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<XRD>
<CanonicalID>http://example.com/openid?id=1234567890</CanonicalID>
<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/signon</Type>
<Type>http://openid.net/srv/ax/1.0</Type>
<Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type>
<Type>http://specs.openid.net/extensions/ui/1.0/icon</Type>
<Type>http://specs.openid.net/extensions/pape/1.0</Type>
<URI>https://www.google.com/a/example.com/o8/ud?be=o8</URI>
</Service>
</XRD>
</xrds:XRDS>

8. Google’s Discovery Proposal for
Hosted Domains
 Something involved a special file located at “/.well-
known/host-meta”
 Won’t work on current OpenID ecosystems, unless
you patch your RP library with Google-supplied
extension.
– http://code.google.com/googleapps/marketplace/sso.html#g
s
 Not sure how it solves “Google might be lying”

9. On User Interface
 Trigger “id_select” process whenever
possible
– URL means little to average users
– Enter Username/Password in different steps
seems strange
 Possible UI
– “Enter your E-mail to continue”
– Buttons
 Be ware of NASCAR effect

11. example.com/jsmith
jsmith@example.com
example.com
jsmith.example.com

12. Q&A