0

I'm trying to use the oic library to authenticate with Google OpenID Connect, and get an error 

oic.exception.IssuerMismatch: 'https://accounts.google.com' != 'accounts.google.com'

when running

from oic.oic.consumer import Consumer
db={}
config={}
c=Consumer(db, config)
print c.provider_config('https://accounts.google.com')

It tries accessing https://accounts.google.com/.well-known/openid-configuration, which says

"issuer": "accounts.google.com",

Now, the specification seems to suggest that this is incorrect:

issuer: REQUIRED. URL using the https scheme with no query or fragment component

Am I correctly interpreting the situation that this is an error in Google's OpenID connect configuration? Where should I report this error to?

(Note: I'm not looking for a work-around, which would be easy enough: I can just skip provider config discovery and hard-code the discovered information. But I want to support arbitrary OpenID Connect providers, not just Google)

Martin v. Löwis
  • 124,830
  • 17
  • 198
  • 235
  • I wouldn't necessarily call it an *error* so much as a process that doesn't 100% conform to spec, while `oic` is confirming more exactly with regard to that field. Google's documentation explicitly states that HTTPS requests must be used, and that HTTP connections are blocked, which *could* be why they're okay with not adding that portion of the URI to `issuer`. – admdrew Dec 10 '14 at 21:22
  • The problem is that oic refuses to proceed. It tries to verify that the service it is contacting is actually the one the application tried to connect, and finds that they are different services (on a string-comparison level). From a security perspective, this sounds sensible, since you don't want to send the user to the wrong service. Either a relying party is supposed to make this verification (in which case it is Google's error for failing it), or applications should ignore the actual value of the issuer field (in which case it would be oic's error for being overly strict). – Martin v. Löwis Dec 10 '14 at 21:40
  • Agreed, I was being pedantic with regard to "error" versus "out of spec". I did also notice that every other example `.well-known/openid-configuration` I could find (eBay, Heroku, and others) *do* include `https://` in the `issuer`. No idea how you'd report this to Google, though. – admdrew Dec 10 '14 at 21:43

1 Answers1

1

Google's OpenID Connect implementation does indeed not conform to that part of the spec. Google has implemented the OpenID Connect (-like) protocol before the spec was finished and in the mean time some of their RPs have become dependent on that identifier. Modifying it would be a breaking change for those RPs and Google has chosen not to to that, at least for now.

Some OpenID Connect implementations indeed make an exception for Google, others try to generalize this behavior by adding a "https://" prefix to any OP issuer identifier that does not start with it, some don't even check it because they don't implement Discovery related features. Pick whatever you like best.

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
  • Any way to report this to Google, in case they don't know? Or to ask them to document this in case they do know? Or a reference where they have already documented it? – Martin v. Löwis Dec 10 '14 at 23:27
  • they know, but you can probably bump it here: https://groups.google.com/forum/#!forum/openid-connect-interop – Hans Z. Dec 11 '14 at 00:08