Google OpenID Connect does not work

[dmiyakawa]

I saw #477 and #520 but I was not able to use Google OpenID Connect support. Is anyone at this moment?

When I tried yesterday, there seemed several weird problems found that are hard for me to fix or workaround.

1: nonce is being rejected by server

As @eshellman says at #477, AuthCanceled will be thrown, probably because Google's server sends HTTP 400. I inserted some debug statements and found JSON message from Google.

{
  "error" : "invalid_request",
  "error_description" : "Parameter not allowed for this message type: nonce"
}

OpenIdConnectAuth class inserts the "nonce" parameter every time (auth_complete_params()), while I'm not sure if it is legitimate for the spec.

Maybe GoogleOpenIdConnect needs to revert the behavior. Possibly I'm just wrong with how to use python-social-auth.

    def auth_complete_params(self, state=None):
        params = super(OpenIdConnectAuth, self).auth_complete_params(state)
        # Add a nonce to the request so that to help counter CSRF
        params['nonce'] = self.get_and_store_nonce(
            self.ACCESS_TOKEN_URL, state
        )
        return params

2: RS256 is required while open_id.py is assuming HS256

open_id.py is assuming RS256 while the server is forcing HS256? It looks even after nonce is deleted (for debugging), jwt_decode() now fails itself.

This topic will be related to this issue too: #641

3: Lack of documentation.

Right now only the (possibly) useful information will be #520
No documentation seems in http://django-social-auth.readthedocs.org/en/latest/backends/google.html (at least right now) It does not mention "OpenID Connect" at all.

It will be very helpful if there are some explanations about how to get it work.

Thanks!

[vvakame]

👍

[Shurahbeel]

i need the python script and password list

On Fri, Jun 19, 2015 at 5:40 AM, Masahiro Wakame [email protected]
wrote:

[image: 👍]

—
Reply to this email directly or view it on GitHub
#644 (comment)
.

[dmiyakawa]

FWIW, I implemented a simple django project with Python Social Auth that demonstrates this behavior.

https://github.com/dmiyakawa/psa_exp

Maybe I'm not using the library, so pointing it out would be also helpful.

[mhidaka]

👍

[sidazad]

Any updates on this? Seems like OpenID has been phased out in favor of OpenID Connect. Hence support for OpenID Connect is imperative.

[hjwp]

+1

[vil-s]

My progress with this issue thus far:

• I did the nonce fix
  • also got the RS256 algorithm error
• Added ID_TOKEN_JWT_DECODE_KWARGS = {'algorithms': ['RS256']} to settings to fix that
  • Got a different algorithm error
• Installed cryptography (pip install cryptography) which fixed that
  • Got this error TypeError: Expecting a PEM-formatted key

I have no idea where to even start fixing that.

[gabejackson]

@unklphil I just implemented OpenIdConnect authorization for some proprietary platform today which also only used RS256 for signing JWTs. I had to do something like this in def validate_and_return_id_token to get it working:

from cryptography.hazmat.backends import default_backend
from cryptography.x509 import load_pem_x509_certificate

key = load_pem_x509_certificate(self.setting('ID_TOKEN_DECRYPTION_KEY'), default_backend())
public_key = key.public_key()
decode_kwargs = {
    'algorithms': ['RS256'],
    'audience': client_id,
    'issuer': self.ID_TOKEN_ISSUER,
    'key': public_key,
    'options': {
        'verify_signature': True,
        'verify_exp': True,
        'verify_iat': True,
        'verify_aud': True,
        'verify_iss': True,
        'require_exp': True,
        'require_iat': True,
    },
}

your_social_ID_TOKEN_DECRYPTION_KEY should contain the certificate. I used something like this to load it:

in_file = open("public-key-for-jwt-signing.pem", "rb")
your_social_ID_TOKEN_DECRYPTION_KEY = infile.read()

I hope that helps.

Maybe on note that got me at first because I wasn't too familiar with JWTs: The RS256 signing method uses asymmetrical signing, which means the Producer (Server) users a private key to sign the request and you (Consumer) have to use the public key to verify the signature (with jwt_decode). Google's Open ID Connect gives you a kid back which can be retrieved from the discovery document at https://accounts.google.com/.well-known/openid-configuration
The param "jwks_uri": "https://www.googleapis.com/oauth2/v3/certs", contains the certs with appropriate kid values. Ticket #747 has done great work im implementing all this automatically, but it hasn't been merged yet. Check out the source there.

[omab]

The related PRs were merged or ported to the new lib social-core.