Announcement Announcement Module
Collapse
No announcement yet.
Inconsistent usernames using Google as OpenID provider Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Inconsistent usernames using Google as OpenID provider

    This was going to be a question until I figured out the answer for myself!

    I'm adding OpenID authentication to a small web app using Spring Security. Here's my config (minus the "beans" element):

    Code:
    <http>
      <intercept-url pattern="/css/**" filters="none" />
      <intercept-url pattern="/images/**" filters="none" />
      <intercept-url pattern="/index.htm" filters="none" />
      <intercept-url pattern="/login.htm" filters="none" />
      <intercept-url pattern="/welcome.htm" filters="none" />
      <intercept-url pattern="/**" access="ROLE_USER" />
      <logout logout-url="/logout.htm"/>
     <openid-login login-page="/login.htm" user-service-ref="myUserDetailsService"/>
    </http>
    The UserDetailsService is implemented (naively for the moment) like this:

    Code:
    public UserDetails loadUserByUsername(final String username) {
        // Allow anyone who's authenticated to log in as a "user"
        return new User(username, "ignored", true, true, true, true,
            new GrantedAuthority[] { new GrantedAuthorityImpl("ROLE_USER") });
    }
    This all worked nicely using Verisign as the provider.

    When I logged in using my Google account (using the generic Google OpenID of www.google.com/accounts/o8/id) the authentication process proceeded properly, i.e. Google prompted me to log in to Google, then my browser was correctly redirected to the secured view in my application that I originally requested. However, the username passed to the loadUserByUsername method (above) varied depending on which computer I logged in from. I was hoping this username would always be the same for a given Google user so that my UserDetailsService could use it to identify them.

    The answer was to use the same host name from all client machines; Google generates a different identifier per user per realm. Because I was using http://localhost/myapp from the server's browser and http://server_name/myapp from another machine, Google saw these as different realms and therefore returned different IDs even for the same Google user.

    Anyway, I hope this helps someone!
    Last edited by Andrew Swan; Nov 23rd, 2009, 04:41 PM. Reason: Fixed the correct answer
Working...
X