问题
Google updated their OpenID Connect endpoints to be fully spec compliant, as part of the OpenID Certification effort. I rely on OpenID Connect to sign my users in with Google. Will I need to do anything as a relying party to avoid breaking due to these changes?
回答1:
It depends on how you use OpenID Connect with Google. If you are performing dynamic discovery by fetching https://accounts.google.com/.well-known/openid-configuration as recommended by the docs then the way your servers interact with Google will change, but you will only be affected if your implementation cannot handle the newer, more spec compliant responses.
On the other hand, if you have hardcoded the various endpoints directly (i.e. the auth and token endpoints) then you are isolated from these changes, but you should consider migrating to the new endpoints.
Major changes in the new endpoints include:
- Id Token issuer (the
issclaim) changes fromaccounts.google.comtohttps://accounts.google.com(during the migration peroid, you should accept either value) - If your
response_typeincludesid_token, you must include anonceor your requests will hard-error.
If you are using a spec-compliant OpenID Connect library then theoretically everything should continue to work as before.
To avoid any possible problems during the migration period (or if your website suddenly breaks), you can hardcode the following URL to get the previous discovery document: https://google.com/accounts/o8/well-known-openid-configuration-old.json (or use the values within to hardcode your auth and token endpoints). As this document points to old versions of the endpoints, you will get the old behavior. Then you can test your products with the latest endpoints (as found in the current discovery document) at your leisure.
To compare the differences, or view the complete new & old, see this gist.
来源:https://stackoverflow.com/questions/29830503/google-is-updating-their-openid-connect-implementation-to-be-fully-spec-complian