-
Improvement
-
Resolution: Fixed
-
Major
-
None
There appears to be some bootstrap/discovery problem that prevents this from working.
[JENKINS-9216] Make OpenID work with Google Apps accounts
btrim
added a comment - Yes, it does work (I think Google changed something in the last 8 months). However, like Kevin Behrens said, it only works automatically if you use the generic Google account URL.
If you use the URLs for your specific domain, OpenID generally expects to be able to get the xrds file from your domain, like example.com. Google does host a version of that file for you, but the discovery mechanism is tweaked to allow for it, so you either have to host it yourself or modify the discovery to read the file from the well-known URL pattern on google.
This is mostly from memory so hopefully I got it right.
btrim
added a comment - Yes, it does work (I think Google changed something in the last 8 months). However, like Kevin Behrens said, it only works automatically if you use the generic Google account URL.
If you use the URLs for your specific domain, OpenID generally expects to be able to get the xrds file from your domain, like example.com. Google does host a version of that file for you, but the discovery mechanism is tweaked to allow for it, so you either have to host it yourself or modify the discovery to read the file from the well-known URL pattern on google.
This is mostly from memory so hopefully I got it right. 
Stephen Palmer
added a comment - I found that this ALMOST works. According to this spec: https://sites.google.com/site/oauthgoog/fedlogininterp/openiddiscovery
I can use this endpoint URL (for my domain) in the plugin to get the process started correctly:
https://www.google.com/accounts/o8/site-xrds?hd=example.com
After I validate the login with Google, according to the spec above, the user OpenID file is by default found here:
http://example.com/openid?id=108441225163454056756
But google actually hosts that for you, with this URL template, which is defined in the site XRDS doc.
https://www.google.com/accounts/o8/user-xrds?uri=
So the plugin fails because it doesn't apply that template and instead tires to retrieve the User XRDS doc from example.com.
At least, I think that's what is happening. I am going to try doing a URL rewrite on our web server as a workaround, but hopefully the author can take a look and see if perhaps there is a straightforward fix?
Stephen Palmer
added a comment - I found that this ALMOST works. According to this spec: https://sites.google.com/site/oauthgoog/fedlogininterp/openiddiscovery
I can use this endpoint URL (for my domain) in the plugin to get the process started correctly:
https://www.google.com/accounts/o8/site-xrds?hd=example.com
After I validate the login with Google, according to the spec above, the user OpenID file is by default found here:
http://example.com/openid?id=108441225163454056756
But google actually hosts that for you, with this URL template, which is defined in the site XRDS doc.
https://www.google.com/accounts/o8/user-xrds?uri=
{%uri}
So the plugin fails because it doesn't apply that template and instead tires to retrieve the User XRDS doc from example.com.
At least, I think that's what is happening. I am going to try doing a URL rewrite on our web server as a workaround, but hopefully the author can take a look and see if perhaps there is a straightforward fix? 
Aaron Stone
added a comment - Here's an Apache mod_rewrite + mod_proxy rewrite rule that works for me:
RewriteRule ^/openid$ http://www.google.com/accounts/o8/user-xrds?uri=http://example.com/openid?%
{QUERY_STRING}[P,L]
Aaron Stone
added a comment - Here's an Apache mod_rewrite + mod_proxy rewrite rule that works for me:
RewriteRule ^/openid$ http://www.google.com/accounts/o8/user-xrds?uri=http://example.com/openid?%
{QUERY_STRING}
[P,L] Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
src/main/java/hudson/plugins/openid/GoogleAppSsoSecurityRealm.java
http://jenkins-ci.org/commit/openid-plugin/c2f725f9dd25462edf95a5e3a59759538ab23136
Log:
[FIXED JENKINS-9216]
Reworked the change based on the comment in the ticket.
This approach does not skip any checks, so it doesn't compromise on
security.
Compare: https://github.com/jenkinsci/openid-plugin/compare/51272cc7dd48...c2f725f9dd25
Aaron Stone
added a comment - Thanks, Kohsuke! This was exactly the OpenId4Java subclass I was hoping would be possible! (Shout out to @autojack for channeling me IRL yesterday on IRC.)
I got the hint for this approach from a Ruby gem published by Living Social. The minimum OpenID workaround is encapsulated here:
https://github.com/sodabrew/rails-googleapps-auth/blob/master/lib/googleapps_auth.rb#L151-168
Aaron Stone
added a comment - Thanks, Kohsuke! This was exactly the OpenId4Java subclass I was hoping would be possible! (Shout out to @autojack for channeling me IRL yesterday on IRC.)
I got the hint for this approach from a Ruby gem published by Living Social. The minimum OpenID workaround is encapsulated here:
https://github.com/sodabrew/rails-googleapps-auth/blob/master/lib/googleapps_auth.rb#L151-168 Damn it Kohsuke,
you resolved it just before I got the chance to make an offer for this issue at FreedomSponsors.
I'm taking the liberty of reopening it ONLY to draw your attention for it, hope you don't mind.
Here's the offer --> http://www.freedomsponsors.com/core/offer/2/make-openid-work-with-google-apps-accounts
Please go there and mark it as resolved and I will gladly pay up - as soon as the fix is available in a release version of Jenkins - (or you can wait a couple of days and maybe someone else will join me as a sponsor, it's up to you, really)
Everyone else, just to explain what this is about:
I'm a big fan of Jenkins (and Kohsuke's), and I created FreedomSponsors, specifically to make him rich (and maybe other people like him who also deserve it)
And this is the very issue that I was looking at, when the whole idea hit me.
That was like, 7 weeks ago. Now it has been up and running for a couple of days.
Yes, I have every intention of creating a big positive impact on open source projects like Jenkins. So please feel free to join and spread the word about it.
Cheers
Tony Lâmpada
FreedomSponsors - http://www.freedomsponsors.com
Software engineer and CEO, I guess
Tony Lampada
added a comment - - edited Damn it Kohsuke,
you resolved it just before I got the chance to make an offer for this issue at FreedomSponsors .
I'm taking the liberty of reopening it ONLY to draw your attention for it, hope you don't mind.
Here's the offer --> http://www.freedomsponsors.com/core/offer/2/make-openid-work-with-google-apps-accounts
Please go there and mark it as resolved and I will gladly pay up - as soon as the fix is available in a release version of Jenkins - (or you can wait a couple of days and maybe someone else will join me as a sponsor, it's up to you, really)
Everyone else, just to explain what this is about:
I'm a big fan of Jenkins (and Kohsuke's), and I created FreedomSponsors , specifically to make him rich (and maybe other people like him who also deserve it)
And this is the very issue that I was looking at, when the whole idea hit me.
That was like, 7 weeks ago. Now it has been up and running for a couple of days.
Yes, I have every intention of creating a big positive impact on open source projects like Jenkins. So please feel free to join and spread the word about it.
Cheers
Tony Lâmpada
FreedomSponsors - http://www.freedomsponsors.com
Software engineer and CEO, I guess Thank you! I just updated that offer and also marking this as closed.
Tony Lampada
added a comment - No, thank you!
I'll check it out Tony Lampada
added a comment - It's actually not working for me yet.
The weirdest thing happens: it works for everyone else in the company except for me 
(And I already checked with HR: I have NOT been fired... hehe)
So, when I come back from Google Apps' login page, I get stuck on a HTTP redirect infinite loop on "/jenkins/securityRealm/finishLogin?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth (....)"
There seems to be something worng with my account, specifically, that's triggering this srange behaviour.
I have jenkins running inside tomcat, on port 8181, and I'm accessing it directly (without apache).
Also, this is a brand new jenkins installation (meaning: there was no .jenkins folder before I started tomcat) with OpenId plugin 1.5 newly installed.
I'm attaching a piece of the log from catalina.out (I changed the domain name though...)
Should I open a bug for this?
Cheers
Tony Lampada
added a comment - It's actually not working for me yet.
The weirdest thing happens: it works for everyone else in the company except for me
(And I already checked with HR: I have NOT been fired... hehe)
So, when I come back from Google Apps' login page, I get stuck on a HTTP redirect infinite loop on "/jenkins/securityRealm/finishLogin?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth (....)"
There seems to be something worng with my account, specifically, that's triggering this srange behaviour.
I have jenkins running inside tomcat, on port 8181, and I'm accessing it directly (without apache).
Also, this is a brand new jenkins installation (meaning: there was no .jenkins folder before I started tomcat) with OpenId plugin 1.5 newly installed.
I'm attaching a piece of the log from catalina.out (I changed the domain name though...)
Should I open a bug for this?
Cheers
I'm with @Kasper Garnæs
My jenkins works fine with my google apps domain.
My only open question is how to configure it such that only users of my domain have access.