Announcement Announcement Module
No announcement yet.
Inconsistent usernames using Google as OpenID provider Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Inconsistent usernames using Google as OpenID provider

    This was going to be a question until I figured out the answer for myself!

    I'm adding OpenID authentication to a small web app using Spring Security. Here's my config (minus the "beans" element):

      <intercept-url pattern="/css/**" filters="none" />
      <intercept-url pattern="/images/**" filters="none" />
      <intercept-url pattern="/index.htm" filters="none" />
      <intercept-url pattern="/login.htm" filters="none" />
      <intercept-url pattern="/welcome.htm" filters="none" />
      <intercept-url pattern="/**" access="ROLE_USER" />
      <logout logout-url="/logout.htm"/>
     <openid-login login-page="/login.htm" user-service-ref="myUserDetailsService"/>
    The UserDetailsService is implemented (naively for the moment) like this:

    public UserDetails loadUserByUsername(final String username) {
        // Allow anyone who's authenticated to log in as a "user"
        return new User(username, "ignored", true, true, true, true,
            new GrantedAuthority[] { new GrantedAuthorityImpl("ROLE_USER") });
    This all worked nicely using Verisign as the provider.

    When I logged in using my Google account (using the generic Google OpenID of the authentication process proceeded properly, i.e. Google prompted me to log in to Google, then my browser was correctly redirected to the secured view in my application that I originally requested. However, the username passed to the loadUserByUsername method (above) varied depending on which computer I logged in from. I was hoping this username would always be the same for a given Google user so that my UserDetailsService could use it to identify them.

    The answer was to use the same host name from all client machines; Google generates a different identifier per user per realm. Because I was using http://localhost/myapp from the server's browser and http://server_name/myapp from another machine, Google saw these as different realms and therefore returned different IDs even for the same Google user.

    Anyway, I hope this helps someone!
    Last edited by Andrew Swan; Nov 23rd, 2009, 04:41 PM. Reason: Fixed the correct answer