Authentication via Google Apps account

Question

Authentication via Google Apps account

fernandogessler opened this issue 12 years ago · comments

I'm trying to implement log in via Google's OpenID service. I've followed the instructions on the documentation and it worked well.

My problem comes trying to customize the flow using my own templates and, more important, not leaving the choice to the user to select the XRDS (I want them to login only with our domain's account). I'll also check the domain on the user info later, but haven't got there yet.

Right now I've replicated the form you serve on /login_openid in my own route: /login. I've turned the field openid_identifier into an input type=hidden so the user doesn't need to specify the URL to the XRDS. In this way I bypass your form, but the field openid_identifier is easily tamperable.

To overcome that problem, I've tryed to internally forward the call to the checker, specifying openid_identifier:

public function loginAction()
{
    if (!is_null($this->getRequest()->query->get('login'))) {
        return $this->forward('FpOpenIdBundle:Security:check', array(
            'openid_identifier' => 'http://mydomain.com/openid'
        ));
    }

    ...

}

but then I get the exception in SecurityController->checkAction(). I understand that you hook in the functionality using SF2 security engine, but I haven't been able to understand the flow of the call.

Maybe I just have to forget about that issue and just check the domain on the user info, but I still dont know how to get it. I've tried

    $this->get('security.context')->getToken()->getAttributes()

but only got an empty array. I do get "http://mydomain.com/openid?id=1137 ... 5120" when I do getUser() though.

If you can help me here I will greatly appreciate it.

Cheers!

Max Kotliar · Answer 1 · Tue Aug 28 2012 21:44:11 GMT+0800 (China Standard Time)

@fernandogessler as I understand you want kind of hard code one openid provider. Another words prevent user to use another one.

If so:

I would suggest:

implement your own RelyingParty that implements interface RelyingPartyInterface (use https://github.com/formapro/FpOpenIdBundle/blob/master/Bridge/RelyingParty/LightOpenIdRelyingParty.php as a referance).
add that relying party to container as a service
use your relying party service id while configuring firewall. there is an option relying_party(https://github.com/formapro/FpOpenIdBundle/blob/master/Resources/doc/configuration_reference.md)

But please pay attention that there is known issue with overwriting relying_parties #38. It does not affects you till you use so called interactive user creation.

Max Kotliar · Answer 2 · Tue Aug 28 2012 22:20:26 GMT+0800 (China Standard Time)

or you can extend https://github.com/formapro/FpOpenIdBundle/blob/master/Bridge/RelyingParty/LightOpenIdRelyingParty.php support method with additional check of openid_identifier.

Max Kotliar · Answer 3 · Thu Aug 30 2012 14:44:01 GMT+0800 (China Standard Time)

@fernandogessler is it? can I close?

fernandogessler · Answer 4 · Thu Aug 30 2012 22:04:53 GMT+0800 (China Standard Time)

Hi makasim! thanks for the info.

Yes, it looks like it, but I was not able to try yesterday, sorry. I'm on it now. I'll get back to you shortly.

fernandogessler · Answer 5 · Thu Aug 30 2012 23:10:25 GMT+0800 (China Standard Time)

Ok!

I've tried to create my RelyingParty by extending LightOpenIdRelyingParty, but had no luck. If I'm not mistaken, AbstractRelyingParty has the only reference to the request parameter openid_identifier, so I've overriden it:

class SPOpenIdRelyingParty extends LightOpenIdRelyingParty
{

    protected function guessIdentifier(Request $request)
    {
        return 'https://mydomain.com/openid';
    }

}

but after the login call (to fp_openid_security_check), if post openid_identifier is not set (that's exactly what I'm trying to achieve) I get the exception on SecurityController.checkAction():

You must configure the check path to be handled by the firewall using fp_openid in your security firewall configuration.

I'm sure the service is being accessed.

Do you spot the problem?

fernandogessler · Answer 6 · Fri Aug 31 2012 00:15:30 GMT+0800 (China Standard Time)

Hey!

Ok I've been doing a bit of reading and I think I was getting it all wrong :p If I'm not mistaken, the whole point of OpenID is to let the user select their identity provider, so there's no point on hiding the URL to the XRDS.

What I need to do is to check the user identity to see if he comes from the provider I trust, right? In order to do that I tried:

$this->get('security.context')->getToken()->getAttributes()

but only got an empty array. I do get "http://mydomain.com/openid?id=1137...5120" when I do getUser() though.

Do you know why is this happening? Am I on the right path? I just want to authenticate users from my google apps domain.

Thanks in advance!

Moritz Kraft · Answer 7 · Fri Aug 31 2012 20:22:12 GMT+0800 (China Standard Time)

See the documentation of this bundle here. You need to configure the attributes that you want in your firewall settings, e.g. like this:

required_attributes:          [ contact/email, namePerson/first, namePerson/last, namePerson ]

Keep in mind that different providers will respond differently - Yahoo for example will ignore namePerson/first and namePerson/last, but will give you namePerson, and it's the other way round with Google who will ignore namePerson but give you namePerson/first and namePerson/last.

fernandogessler · Answer 8 · Fri Aug 31 2012 23:43:38 GMT+0800 (China Standard Time)

Great! that's it. Sorry I've missed that on the docs.

Thanks to both of you!