将 DotNetOpenId 与 Google Apps 结合使用时出现问题
我的处境很危急,因为我们必须将 Google Apps 支持集成到我们的应用程序中,该应用程序位于 .Net 2.0 框架中。因此,我使用 DotNetOpenId v2.5.7。为了实现这一目标,我们之前使用 DotNetOpenAuth v3.4.6 在框架 4.0 中创建了一个单独的应用程序,该应用程序将使用 Google Apps 进行身份验证,并将数据与所有信息一起重定向回来。但该过程存在安全漏洞。所以现在我们必须使用DotNetOpenId,因为我们的应用程序无法迁移到更高的框架。
主要问题是与 Google Apps 一起使用时的问题。它适用于其 OpenId 端点为 https://www.google.com/accounts/o8/ud 的 Gmail 帐户。但是,当 OpenId Endpoint 类似于 https://www.google.com/a/example.com/o8/ud?be=o8 时,它会给我一个断言错误。该应用程序将用户正确重定向到 Google Apps 登录页面。但是,当它返回数据时,身份验证状态为失败,并且以下是其中的异常:
Message: The OpenId Provider issued an assertion for an Identifier whose discovery information did not match.
Assertion endpoint info:
ClaimedIdentifier: http://example.com/openid?id=11......010
ProviderLocalIdentifier: http://example.com/openid?id=11......010
ProviderEndpoint: https://www.google.com/a/example.com/o8/ud?be=o8
OpenID version: 2.0
Service Type URIs: (unavailable)
Discovered endpoint info:
{ClaimedIdentifier: http://specs.openid.net/auth/2.0/identifier_select
ProviderLocalIdentifier: http://specs.openid.net/auth/2.0/identifier_select
ProviderEndpoint: https://www.google.com/a/example.com/o8/ud?be=o8
OpenID version: 2.0
Service Type URIs: http://specs.openid.net/auth/2.0/server, }
我已放置一个 XRDS 文件,该文件可在此位置下载 http://example.com/openid ,其中包含数据如下
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/server</Type>
<URI>https://www.google.com/a/example.com/o8/ud?be=o8</URI>
</Service>
<Service priority="10">
<Type>http://specs.openid.net/auth/2.0/signon</Type>
<URI>https://www.google.com/a/example.com/o8/ud?be=o8</URI>
</Service>
</XRD>
</xrds:XRDS>
但这也没有帮助。
我还在 http://example.com/.well-known/host-meta 位置放置了一个包含以下内容的文件:
Link: <https://www.google.com/accounts/o8/site-xrds?hd=example.com>; rel="describedby http://reltype.google.com/openid/xrd-op"; type="application/xrds+xml"
请告诉我还需要做什么。我几天来一直在浏览论坛并使用谷歌来解决这个问题,但没有任何进展。
I am in a critical situation as we have to integrate Google Apps support to our application, which is in .Net 2.0 framework. So for this I am using DotNetOpenId v2.5.7. Earlier in order to achieve this we created a separate application in framework 4.0 using DotNetOpenAuth v3.4.6 that would do the authentication with Google Apps and redirect the data back with all information. But that process had security loop holes. So now we are bound to use DotNetOpenId as our application cannot be migrated to higher framework.
The main issue is when using it with Google Apps. It works fine for Gmail accounts that has its OpenId Endpoint as https://www.google.com/accounts/o8/ud. However when OpenId Endpoint is something like this https://www.google.com/a/example.com/o8/ud?be=o8 it gives me an assertion error. The application redirects the user correctly to the Google Apps login page. But when it comes back with data the Authentication Status is Failed and following is the exception in it:
Message: The OpenId Provider issued an assertion for an Identifier whose discovery information did not match.
Assertion endpoint info:
ClaimedIdentifier: http://example.com/openid?id=11......010
ProviderLocalIdentifier: http://example.com/openid?id=11......010
ProviderEndpoint: https://www.google.com/a/example.com/o8/ud?be=o8
OpenID version: 2.0
Service Type URIs: (unavailable)
Discovered endpoint info:
{ClaimedIdentifier: http://specs.openid.net/auth/2.0/identifier_select
ProviderLocalIdentifier: http://specs.openid.net/auth/2.0/identifier_select
ProviderEndpoint: https://www.google.com/a/example.com/o8/ud?be=o8
OpenID version: 2.0
Service Type URIs: http://specs.openid.net/auth/2.0/server, }
I have placed an XRDS file which gets download at this location http://example.com/openid which has data as follows
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/server</Type>
<URI>https://www.google.com/a/example.com/o8/ud?be=o8</URI>
</Service>
<Service priority="10">
<Type>http://specs.openid.net/auth/2.0/signon</Type>
<URI>https://www.google.com/a/example.com/o8/ud?be=o8</URI>
</Service>
</XRD>
</xrds:XRDS>
But this didn’t help either.
I also placed a file at location http://example.com/.well-known/host-meta with this content:
Link: <https://www.google.com/accounts/o8/site-xrds?hd=example.com>; rel="describedby http://reltype.google.com/openid/xrd-op"; type="application/xrds+xml"
Please tell me what else I need to do. I have been browsing forums and using Google since days to resolve this issue but no progress.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您是正确的,DotNetOpenId v2.x 的目标是 .NET 2.0。它无法通过 Google Apps OpenID 登录用户,因为 Google Apps 不遵循 OpenID 协议,而是遵循 Google 自己的变体。
DotNetOpenAuth v3.x 是可插入的,允许 Google Apps 通过激活对其 OpenID 变体的支持来工作。
我认为对您最有帮助的是了解 DotNetOpenAuth 不需要 .NET 4.0。只需安装 .NET 3.5,它是 .NET 2.0 的低影响就地更新。您的网站应该继续正常运行,但 DotNetOpenAuth v3.x 可以正常运行。
You are correct in that DotNetOpenId v2.x targets .NET 2.0. It cannot login users via their Google Apps OpenIDs because Google Apps do not follow the OpenID protocol, but rather Google's own variant of it.
DotNetOpenAuth v3.x is pluggable in a way that allows Google Apps to work by activating support for their variant of OpenID.
I think what will help you most is knowing that DotNetOpenAuth does not require .NET 4.0. Simply install .NET 3.5, which is a low-impact in-place update for .NET 2.0. Your web sites should continue functioning normally, but DotNetOpenAuth v3.x will work on it.