You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In order to migrate from Google OpenID 2.0 to Google OAuth2/OIDC, Google provides a mechanism for getting BOTH OpenID 2.0 identifier AND Google OIDC identifier for a user. The process is documented at https://developers.google.com/accounts/docs/OpenID#adjust-uri .
Basically, the initial authentication request URI can contain an additional parameter "openid.realm=https://..." This results in eventually returning a new "openid_id" field that contains the Google OpenID 2.0 identifier. By matching this against the "sub" field (the OIDC identifier), sites can migrate users from old OpenID 2.0 ids to new OIDC ids.
It would be really helpful if the configuration file could support something like "OIDCOpenIDRealm=https://...", then the code could get the openid_id and put it in the HTTP session headers.
The text was updated successfully, but these errors were encountered:
This can be configured with the current version already:
If you use Google as your single provider, you can add the openid.realm=<urlencoded-realm-value> parameter to the authentication requests in the OIDCAuthRequestParams primitive and that will result in a HTTP header called OIDC_CLAIM_openid_id with the requested value.
If you're using multiple OPs one of which is Google, you can create a file called accounts.google.com.conf in the metadata directory that looks like:
In order to migrate from Google OpenID 2.0 to Google OAuth2/OIDC, Google provides a mechanism for getting BOTH OpenID 2.0 identifier AND Google OIDC identifier for a user. The process is documented at https://developers.google.com/accounts/docs/OpenID#adjust-uri .
Basically, the initial authentication request URI can contain an additional parameter "openid.realm=https://..." This results in eventually returning a new "openid_id" field that contains the Google OpenID 2.0 identifier. By matching this against the "sub" field (the OIDC identifier), sites can migrate users from old OpenID 2.0 ids to new OIDC ids.
It would be really helpful if the configuration file could support something like "OIDCOpenIDRealm=https://...", then the code could get the openid_id and put it in the HTTP session headers.
The text was updated successfully, but these errors were encountered: