Request: Google OpenID 2.0->OIDC migration config option

[terrencegf]

In order to migrate from Google OpenID 2.0 to Google OAuth2/OIDC, Google provides a mechanism for getting BOTH OpenID 2.0 identifier AND Google OIDC identifier for a user. The process is documented at https://developers.google.com/accounts/docs/OpenID#adjust-uri .

Basically, the initial authentication request URI can contain an additional parameter "openid.realm=https://..." This results in eventually returning a new "openid_id" field that contains the Google OpenID 2.0 identifier. By matching this against the "sub" field (the OIDC identifier), sites can migrate users from old OpenID 2.0 ids to new OIDC ids.

It would be really helpful if the configuration file could support something like "OIDCOpenIDRealm=https://...", then the code could get the openid_id and put it in the HTTP session headers.

[zandbelt]

This can be configured with the current version already:

If you use Google as your single provider, you can add the openid.realm=<urlencoded-realm-value> parameter to the authentication requests in the OIDCAuthRequestParams primitive and that will result in a HTTP header called OIDC_CLAIM_openid_id with the requested value.

If you're using multiple OPs one of which is Google, you can create a file called accounts.google.com.conf in the metadata directory that looks like:

{
  "auth_request_params" : "openid.realm=<urlencoded-realm-value>"
}

Let me know if that works for you (a quick test did it for me).

[terrencegf]

That works perfectly! Thanks very much for the quick reply. I'll close the issue.