2

I have an existing asp.net mvc5 application using DotNetOpenAuth for Google OpenId authentication. I am migrating to Asp.Net Identity, and using Google+ Auth with OAuth2.0.

But I have seen thant I can't map existing OpenId account Id to OAuth2.0 Id : - Old id is : https://www.google.com/accounts/o8/id?id=blablabla - New Id is : a long number

Since I would like to use new id, I am searching for help on migrating identities. I have not found yet a simple sample to achieve this.

I am using a new asp.net mvc5 application (freshly scaffolded), added Microsoft Identity (with custom implementation for my data), configured the GoogleOAuth2 provider.

When I try to login, surprise ! :) Account id have changed...

I have read some posts that tell to add "openid.realm" to auth request but, how can I change the authentication request url, and how do I know the value to put in it ?

Thanks.

Dede
  • 1,640
  • 2
  • 14
  • 24

1 Answers1

2

To change the authentication request to include the openid.realm parameter, you can use the OnApplyRedirect delegate e.g.

app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions()
{
    ClientId = "",
    ClientSecret = "",
    Provider = new GoogleOAuth2AuthenticationProvider
    {
        OnApplyRedirect = context =>
        {
            Dictionary<string, string> dictionary = new Dictionary<string, string>()
            {
                { "openid.realm", "http://mywebsite.com/openid/realm" }
            };
            var redirectUri = WebUtilities.AddQueryString(context.RedirectUri, dictionary);
            context.Response.Redirect(redirectUri);
        },
    }
});

The value of openid.realm needs to be the realm you used for OpenID 2.0

The google migration doc has information on how to map from the users old id to the new one

brocknz
  • 226
  • 2
  • 7
  • Adding the openid.realm works (when I put a bad value I got an error), but by reading the doc, I don't know where I can find the "openid_id" field. If I understand well, the value can be retrieved when querying the access token. But the code that does this has either no entry point or events that can be handled... – Dede Sep 01 '14 at 11:25
  • In the documentation, the step 3 tells that the response of the token request contains the "openid_id" field needed for me. This is not the case. Ay idea ? – Dede Sep 02 '14 at 08:57
  • I think a lot of people have had problems retrieving the openid_id. It could be a bug. – brocknz Sep 10 '14 at 23:44
  • I can't retrieve it either. The data just isn't returned by Google. – spadelives Sep 15 '14 at 22:36
  • This gets partway. Inside Microsoft.Owin.Security.Google, after posting to the Google token endpoint, the openid_id field is encoded inside the id_token which sits next to the access_token. A JwtSecurityToken object can be used to decode. Unfortunately, the id_token value is dropped and does not pass through to the OnAuthenticated handler. There does not seem to be a way to get at the openid_id. Microsoft.Owin.Security.OpenIdConnect looks promising (I see a JWT lurking inside) but the Google part seems to be a work in progress. Either way it will take some work from the Katana team to resolve. – John Oct 11 '14 at 01:45
  • 1
    Finally got Google to return the token_id by doing a string replace on the context.RedirectUri to add the id_token parameter to response_type but Google returns a malformed query string in the form of https://mydomain/signin-google#state... instead of https://mydomain/signin-google?state... The id_token is there now though. – spadelives Nov 06 '14 at 17:11