Google allows users to log in to websites using their Google account as an OpenID. When a user enters their Google account URL, it triggers an "id_select" login process where Google issues the user a specific OpenID. Websites can discover a user's OpenID information by accessing an XRDS file hosted on Google's servers. Google has also proposed hosting OpenID discovery files within a website's own domain to simplify the single sign-on process, but this has not been widely adopted. The user interface for OpenID logins can be improved to avoid confusion, such as prompting for an email address instead of an OpenID URL.
1. Google Apps Account as OpenID
Timothy Chien
http://blog.timc.idv.tw/
timdream@gmail.com
2010-10-31
2. Google Account as OpenID
It’s a feature introduced long time ago
Everyone can paste
https://www.google.com/accounts/o8/id
and login as your OpenID
– It will be discovered by RP as an server endpoint,
trigger an id_select login process
– You will be issued an OpenID as
https://www.google.com/accounts/o8/id?
id=AItOwk...nqJOSI
4. “id_select” process?
New* in OpenID 2.0
– Which is introduced back in 2007
Indicate that user wishes to use a specific OpenID
IdP, however he didn’t know/say his own OpenID
Therefore the “id_select” login process asks the
OpenID IdP to select an ID for the user.
The other login process being “signon” process
5. OpenID Discovery for Apps
Use this URL
https://www.google.com/accounts/o8/site-xrds?hd=
for server endpoint discovery
– You will be issued an OpenID as
http://example.com/openid?id=1234567890
– Discovery info is hosted on given URL in order for
RP to verify that Google is not lying
6. User Discovery Information
Described extensively in docs from Google
– http://sites.google.com/site/oauthgoog/fedloginint
erp/openiddiscovery
– It even asked XRDS to be signed!
I made a PHP script for that
– http://github.com/timdream/google-apps-openid
– Works, but XRDS generated is not signed
– Hosting your own XRDS defeat the purpose of
Google Apps
8. Google’s Discovery Proposal for
Hosted Domains
Something involved a special file located at “/.well-
known/host-meta”
Won’t work on current OpenID ecosystems, unless
you patch your RP library with Google-supplied
extension.
– http://code.google.com/googleapps/marketplace/sso.html#g
s
Not sure how it solves “Google might be lying”
9. On User Interface
Trigger “id_select” process whenever
possible
– URL means little to average users
– Enter Username/Password in different steps
seems strange
Possible UI
– “Enter your E-mail to continue”
– Buttons
Be ware of NASCAR effect