pythonopenidoauthhybridauthprovider

Google Federated Login (OpenID+Oauth) for Hosted Apps - changing end points?


I'm trying to integrate the Google Federated Login with a premier apps account, but I'm having some problems.

When I send the request to: https://www.google.com/accounts/o8/ud with all the parameters (see below), I get back both a request_token and list of attributes asked for by Attribute Exchange. This is perfect, as we need the email via attribute exhange (AX) to store the user in our application database, and we need the request token for future API requests to scopes (ie: calendar, contacts, etc).

However, using that URL (herein referred to as the endpoint) doesn't keep the user signed in to their hosted apps (gmail, calendar, et al), which is a problem.

Changing the endpoint to https://www.google.com/a/thedomain.com/o8/ud?be=o8 changes everything. I am automagically signed in to other google apps (gmail etc). However, using that endpoint, I only get the request token or the attributes via AX. Obviously thats not particularly Hybrid. Its very much one or the other.

Example request to the endpoint https://www.google.com/accounts/o8/ud

parameters = {
    'openid.ns': 'http://specs.openid.net/auth/2.0',
    'openid.claimed_id': 'http://specs.openid.net/auth/2.0/identifier_select',
    'openid.identity': 'http://specs.openid.net/auth/2.0/identifier_select',
    'openid.return_to':'http://our.domain.com/accounts/callback/',
    'openid.realm': 'http://our.domain.com/',
    'openid.assoc_handle': assoc_handle,
    'openid.mode': 'checkid_setup',

    'openid.ns.ext2': 'http://specs.openid.net/extensions/oauth/1.0',
    'openid.ext2.consumer': 'our.domain.com',
    'openid.ext2.scope': 'https://mail.google.com/mail/feed/atom',

    'openid.ns.ax':'http://openid.net/srv/ax/1.0',
    'openid.ax.mode':'fetch_request',
    'openid.ax.required':'firstname,lastname,email',
    'openid.ax.type.firstname':'http://axschema.org/namePerson/first',
    'openid.ax.type.lastname':'http://axschema.org/namePerson/last',
    'openid.ax.type.email':'http://axschema.org/contact/email',     
}
return HttpResponseRedirect(end_point + '?' + urllib.urlencode(parameters))

(assoc_handle is previously set successfully by the openid initial request)

I've been struggling for days trying to get this Hybird approach working, fighting the most opaque error messages (This page is invalid ... thanks Google) and lack of consistent documentation. I've trawled every code sample I can to get to this point. Any help would be appreciated ...


Solution

  • For the record, posterity, and anyone else who might come asunder of this, I'll document the (ridiculous) answer.

    Ultimately, the problem was calling:

    return HttpResponseRedirect(
        'https://www.google.com/a/thedomain.com/o8/ud?be=o8'
        + '?'
        + urllib.urlencode(parameters)
    )
    

    Can you spot it? Yeah, it was the explicit inclusion of the question mark that caused the problem. Two query strings never exist at once.