have anyone tried this, create openid4j servlet and try authenticate with google openid? i tried it and fail and so want to get confirmation from you all. i able to authenticate with yahoo_email and myopenid.com
I don't have personal knowledge of openid4j, but I can't imagine they wouldn't support Google's OpenID. Google OpenID is just standard OpenID 2.0, although they have a few notable differences in normal behavior that you should be aware of:
You should kick off authentication by supplying the URL https://www.google.com/accounts/o8/id instead of just gmail.com or google.com since Google hasn't made those simple domain names OP Identifiers yet.
They don't support delegation, and you cannot start an authentication using a user's claimed_id. Only OP Identifiers work.
If the user clicks "Always remember me" for the site during login, Google won't supply any AX attribute values to the RP on subsequent logins (the RP must store the initially received values).
Well, right now I'm logged in as a Google openid account. The trouble is that they have supported a strange blend of OAuth and OpenID, so I don't know how one would implement it on one's own servers. At least for Stack Overflow, my OpenID URL is www.google.com/accounts/o8/id, without the comma, obviously.
Related
I'm trying to create a web service to use the Google Plus API. I'm writing it in java, however I can't figure out what files I need and how I would go about posting to Google plus groups using Java
If you have any insite please could you post relavent links and helpful tips to help me out.
EDIT 1:
I have been playing around with the GooglePlus API provived by Google and have written a project based on the sample code given from this page: https://developers.google.com/+/domains/posts/creating
The code runs fine until it gets to the GoogleTokenResponse tokenResponse = flow.newTokenRequest(code).setRedirectUri(REDIRECT_URI).execute(); line. Where it returns a null error. I am copying the link provided in the console and pasting in the code, however everytime it just returned a null error, is there a specific part of the returned code given that causes an issue?
Posting to Google+ is only supported for accounts in a Google Apps Domain (and even then, with restrictions).
If you are logging in using a GMail account - you don't have an Apps Domain account. If you're logging in using some other email address (ie - you have an email address, but you can't use Google account features such as GMail or Google Drive with it) then you don't have an Apps Domain account. If you are using a Domain account, your Domain admin may need to enable Google+ for your Domain before this works.
See https://developers.google.com/+/domains/getting-started for the differences between what you can do with the Domains API and the regular Plus API.
Note that neither API lets you post to a Google+ Community or post publicly. The Domains API does let you post to a user's circle, as long as the members of that circle are also part of the Domain. The Domain API also lets you post to everyone in the Domain. The normal Plus API does not allow posting at all.
There is a third API, knows as the Pages API, which allows Pages to publicly post on their stream. This API, however, is available to a limited number of partners such as Hootsuite. You can read more at https://developers.google.com/+/api/pages-signup, but there isn't much more available publicly.
Your web service should first authenticate against Google. This authentication can either be using a service account (if you want to post only through one account) or users's account (if you want to post via user's account) using oAuth mechanism.
For more details about how to authenticate, refer to How to authenticate our users in our website with Google Account
Have a look at https://developers.google.com/+/api/ for detailed information about how Google Plus APIs can be used.
I'm finding a lot of problems trying to develop a google app to place in the market, with OpenID and accesing some google apis like G+ from the backserver on GAE
I have applications running using google apis to acces G+ data, with 3 legged oAuth (code flow) without problems and i understand the "magic" behind the scenes, but i'm getting lost with OpenID and google market. Do i need to do the 3legged oAuth after the user pass the OpenID google filter, and send the user to acept the G+ permission API to use that token to access google apis? If this is the case, what happen if the user access the application from his company gmail account, and when prompted to accept the g+ access, he change accounts? Is there any good reading that make things easier with google apps, openID and access google apis from GAE?
Why I can't specify the scope of G+ when sending my application to the market, in the app conf files?
In this scenario, what is the best way of getting the user g+ profile (picture, fullname, nickname? What i'm missing? google documentation is really good, when you find the correct one ,but a lot of links are dead and millions of examples with deprecated gdata apis are flooding the net...
Ok, after further reading and testing i came up with this points:
Google Marketplace just alow you to access this apis without extra "oAuth dances"
If you want to access more APIs than the listed above, you need the oAuth exchange to get specific token/s for the APIs you want to access.
In my case, i want to access G+ API before the openID from market, so after logging the user with openID, i need to redirect him to google api oAuth accept screen (just for the first time)
More things about the market that take me long time to catch:
- Billing API and license API are deprecated, this mean you are responsible for billing your users and keep them tracked to know if a given user has paid the application or when the license has expired
- You need to map /_ah/login_required becouse your application should be setted (when you create it) to only accept federated logins, wich will lead to a redirection to /_ah/login_required from where you need to do the openID stuff.
A lot of links in the documentation are broken and the examples are too old :(
It's actually a little simpler now with the new Google Apps Marketplace experience. If you follow the steps in the docs and make sure you ask for the same scopes in your App Engine code, the user should never be prompted.
I set up a gerrit server.
For authentication gerrit allows among others OpenId and OpenId_SSO.
The first one works fine, but requires me to enter the whole long OpenId.
As I only want to allow a single provider the second option sounds perfect.
To use this, I have to supply the parameter auth.openIdSsoUrl which is "The SSO entry point URL".
How can I find out the correct URL to enter?
I already tried to use wireshark to monitor the http conversation during the normal OpenId login. But the URL involved there seems not to be the right one.
What exactly is an "entry point" in that context?
BTW: I currently use my own Atlassian Crowd as a OpenId server.
Edit: The java code involved can be found here.
The "entry point" is an OpenID endpoint URL. Using it to authenticate allows the OpenID server to say which user is authenticated, rather than requiring users to supply their own identifier. It's not used in the OpenID process unless you provide it, so it won't show in Wireshark logs.
From Crowd 2.6 there is an endpoint URL, which will end in openidserver/op.
This is related to OpenId authentication.
I have implemented the google and yahoo openId auth with java in struts2
but it is achieved through page redirection to openId provider auth page and then back to my own success web-page.
But what i wanted was same as facebook auth. were in json object is passed from fb and fb authentication is done in a pop-up. so that redirection can be avoided.
Plz help me out.
I have somewhat implemented which is mentioned in this post part1-part4: http://javadeveloperjournal.blogspot.in/2011/08/integrating-openid-into-my-struts-2-app.html
First, i will not suggest to use OpenID for Facebook and Facebook do not provides its own implementation for the OpenID but rely on certain third party implimentations.
Best way to go with OAuth which is quite similar to what OpenID is with only differences in the level of security and authentication.
While Constructing a URL to the OAuth Dialog, you can specify a parameter namely display indicating if you want a page redirect or pop-up, by default the value of this parameter is set to page
Please go through Facebook documentation for implementing OAuth
oauth using Facebook
That redirection is an mandatory part of the OpenID specification. Anyhow to authenticate users in that manner, whoever the OpenID Provider should support it. But facebook does't as far as I know. Use Oauth, facebook supports it and it is an open standard, so it is always better to go with open standards.
Well as the other answers have indicated, that passing you to the OpenID provider to login is part of the specification. Also in agreement with Umesh above, Facebook provides Facebook Connect, which isn't OpenId, but allows you to authenticate users using this method.
See: Is Facebook an OpenID provider?
What I do want to add however is clarification that you don't just run off and create an OAuth based authentication system because OpenID isn't what you want to use. OAuth provides you with more than just login authentication, there's more power in there - which strangely users are unaware of. OpenId passes along your credentials and OAuth passes along access to your data. So with OpenId the website can authenticate me, with OAuth the website can authenticate me and possibly have access to all my email or my documents in Google Drive. The good thing is that you the user has to explicitly allow this access.
But erring on the side of privacy you'd want to build a compelling case for an application that needs the power of OAuth. Like the picture in the article below, one's the different between asking for a notarized letter to prove your identity, and asking for a valet key to prove your identity.
A valet is OAuth, I need them to take my car and park it in the parking lot, so I give them a valet key. It can't open the glove compartment or the trunk, but they can open the driver's side door and start the ignition - which is all I need them to do, and no more. However I don't give the cashier at the grocery my valet key when I'm paying with a personal check, she just needs to see a photo ID, any gov't issued ID will work. Technically my valet key which will allow her to open my car and read my VIN and possibly authenticate it against a DMV database should also work, but that's probably overkill.
There are good uses for OpenId, OAuth and Federated logins, but as developers we need to understand when and where we should use each of them.
http://en.wikipedia.org/wiki/OAuth#OpenID_vs._pseudo-authentication_using_OAuth
I want the user to be able to Single-Sign-On, i.e. once logged on as Windows User, all services offered by my application should be accessible without further authentication.
In order to authenticate the user I'm using JAAS (Java Authentication and Authorization Services), which is integrated in Java.
The Java API ships also with a several JAAS LoginModules. One of them is called NTLoginModule, which retrieves user information about the currently logged on Windows User.
Where does NTLoginModule retrieve
its information from?
Can I use the
information returned by NTLoginModule in order to authenticate - in a safe manner -
the current user?
Are there any security issues I have to know about?
Thank you in advance!
I cannot help with JAAS, last tyime I did SSO with NTML, it was based on jCIFS.
However, I'm replying on your third point: There are security issues with NTLM
NTLM is quite weak (even v2), and you should lock accounts after a given number of login failures (to avoid brute force attack).
NTLM cannot work other a firewall.
NTLM token cannot be trusted by a third party, leading to the double-hop problem. Your application cannot take the identity of the logged in user to call another NTLM-protected server (like a web service; a RSS feed; or any web resource).
NTLM is not supported by all browsers. Internet Explorer and Chrome works natively ; Firefox needs to edit a configuration for each targeted site ; Opera, Konqueror don't support NTLM at all.
As I said in the comment to rds' answer: "I learned that NTLoginModule is quite insecure. I was able to fake the returned username by replacing the NTUserPrincipal.class file in the rt.jar package and so I was able to return a bogus user name. So it's not suitable for any kind of authentication."
Additionally, by doing some researches I found out that NTLoginModule retrieves it's information from nt.dll, which is part of the Java native libraries for Windows. nt.dll uses advapi32.dll in order to retrieve the current's user information.