This project has moved. For the latest updates, please go here.

Microsoft.AspNet.Identity and Google SSO in OWIN

Dec 9, 2013 at 10:44 PM
I'm trying to use Google SSO provided in OWIN with VS2013's SPA template, however it is giving me null pointer exception in RegisterExternalLogin.aspx.cs on the following line, no matter which gmail account I tried to use to sign in.
            var loginInfo = Context.GetOwinContext().Authentication.GetExternalLoginInfo();
I debugged and checked the source code of GoogleAuthenticationHandler and noticed that a claims is correctly received (though I'm not sure if all the required claims to be used by GetExternalLoginInfo is there).

I've also noticed that the code is requesting some attribute that doesn't seem to exist in google's document?
                    "&openid.ax.type.name=" + Uri.EscapeDataString("http://axschema.org/namePerson") +
                    "&openid.ax.type.first=" + Uri.EscapeDataString("http://axschema.org/namePerson/first") +
                    "&openid.ax.type.last=" + Uri.EscapeDataString("http://axschema.org/namePerson/last") +

https://developers.google.com/accounts/docs/OpenID?csw=1#Parameters
openid.ax.type.country (optional) Requests the user's home country. This value must be set to "http://axschema.org/contact/country/home".
openid.ax.type.email (optional) Requests the user's gmail address. This value must be set to either "http://axschema.org/contact/email" or "http://schema.openid.net/contact/email".
openid.ax.type.firstname (optional) Requests the user's first name. This value must be set to "http://axschema.org/namePerson/first".
openid.ax.type.language (optional) Requests the user's preferred language. This value must be set to "http://axschema.org/pref/language".
openid.ax.type.lastname (optional) Requests the user's last name. This value must be set to "http://axschema.org/namePerson/last".
Dec 12, 2013 at 4:12 PM
Thoughts anyone? Not sure I'm doing anything different, I simply un-comment the app.UseGoogleAuthentication() line.
Coordinator
Dec 12, 2013 at 6:38 PM
Dec 16, 2013 at 5:45 PM
Hi Tractcher,

I see that it is indeed the case, however the related issue https://katanaproject.codeplex.com/workitem/166 was closed as fixed. Should I open a new one for google? This seems like a general implementation requirements for all OWIN middleware to ensure that the returned Identity needs to have ClaimsIdentity.Name filled with a none null string?
Coordinator
Dec 16, 2013 at 6:44 PM
Facebook got fixed because we had a repro.

Sure, open a new bug for Google. Do you know which key is missing and which one should be the fallback? Any hints on how the google account was configured would also help us repro this.
Dec 16, 2013 at 8:40 PM
Is there any reason why the default name cannot always fallback to email, then ClaimTypes.NameIdentifier? Those values seems to be more consistently available than first/last name?


Also, there are two reason why first/last name are not available
  1. when building authorizationEndpoint, the code requests name, first, last,
                    "&openid.ax.type.name=" + Uri.EscapeDataString("http://axschema.org/namePerson") +
                    "&openid.ax.type.first=" + Uri.EscapeDataString("http://axschema.org/namePerson/first") +
                    "&openid.ax.type.last=" + Uri.EscapeDataString("http://axschema.org/namePerson/last") +
                    "&openid.ax.required=" + Uri.EscapeDataString("email,name,first,last");
    
However, according to https://developers.google.com/accounts/docs/OpenID?csw=1#Parameters
There's no openid.ax.type.name and openid.ax.type.first, openid.ax.type.last should be
openid.ax.type.firstname, openid.ax.type.lastname.

The required string should be email,firstname,lastname instead.
  1. I noticed that the google account I had problem logging in with OWIN is showing
Your profile was suspended because it violates our names policy

in its google+, perhaps that is the reason why google returns no first/last name for the account? However, it has never stopped me from using the account to sign into any other services. I don't think it is a big deal that user doesn't have a first/last name as long as they have a proper NameIdentifier?