本文介绍了Google正在更新其OpenID Connect实施,使其完全符合规范,对我来说有什么坏处吗?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

Google更新了其OpenID Connect端点,使其完全符合 spec 的要求,作为 OpenID认证工作的一部分.我依靠OpenID Connect来用Google登录我的用户.作为依赖方,我是否需要做任何事情来避免由于这些变化而中断?

Google updated their OpenID Connect endpoints to be fully spec compliant, as part of the OpenID Certification effort. I rely on OpenID Connect to sign my users in with Google. Will I need to do anything as a relying party to avoid breaking due to these changes?

推荐答案

这取决于您如何将OpenID Connect与Google结合使用.如果您通过获取 https://accounts.google.com/.well执行动态发现-建议/已知/openid-配置,然后服务器与Google的交互方式会更改,但是只有在您的实现无法处理更新的,更符合规范的情况下,您才会受到影响回应.

It depends on how you use OpenID Connect with Google. If you are performing dynamic discovery by fetching https://accounts.google.com/.well-known/openid-configuration as recommended by the docs then the way your servers interact with Google will change, but you will only be affected if your implementation cannot handle the newer, more spec compliant responses.

另一方面,如果您直接对各个终结点(即auth和token终结点)进行了硬编码,那么您就不会受到这些更改的影响,但是您应该考虑迁移到新的终结点.

On the other hand, if you have hardcoded the various endpoints directly (i.e. the auth and token endpoints) then you are isolated from these changes, but you should consider migrating to the new endpoints.

新端点的主要变化包括:

Major changes in the new endpoints include:

  1. Id令牌发行者(iss声明)从accounts.google.com更改为https://accounts.google.com(在迁移期间,您应该接受其中一个值)
  2. 如果您的response_type包含id_token,则必须包含nonce,否则您的请求将很难出错.
  1. Id Token issuer (the iss claim) changes from accounts.google.com to https://accounts.google.com (during the migration peroid, you should accept either value)
  2. If your response_type includes id_token, you must include a nonce or your requests will hard-error.

如果您使用的是符合规范的OpenID Connect库,则理论上所有内容都应照常运行.

If you are using a spec-compliant OpenID Connect library then theoretically everything should continue to work as before.

为避免在迁移期间(或您的网站突然中断)任何可能的问题,您可以对以下URL进行硬编码以获取以前的发现文档: https://google.com/accounts/o8/well-known-openid-configuration-old.json (或使用内的值以对您的身份验证和令牌端点进行硬编码).当本文指向端点的旧版本时,您将获得旧行为.然后,您可以使用最新的端点(如当前发现文档)在您闲暇时.

To avoid any possible problems during the migration period (or if your website suddenly breaks), you can hardcode the following URL to get the previous discovery document: https://google.com/accounts/o8/well-known-openid-configuration-old.json (or use the values within to hardcode your auth and token endpoints). As this document points to old versions of the endpoints, you will get the old behavior. Then you can test your products with the latest endpoints (as found in the current discovery document) at your leisure.

比较差异,或查看完整的新&旧版本,请参见此要点.

To compare the differences, or view the complete new & old, see this gist.

这篇关于Google正在更新其OpenID Connect实施,使其完全符合规范,对我来说有什么坏处吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-06 02:25