OpenID with Spring Security 3 and Google OpenID

So much information on Spring OpenID is outdated so quickly…Lots of articles and blog entries describe solutions with Spring Security 2.x which is slightly different from 3.x.

I recommend sticking with the sample application at http://repo1.maven.org/maven2/org/springframework/security/spring-security-samples-openid/<your_version>/spring-security-samples-openid-<your_version>.war as a reference. Also, I found http://www.packtpub.com/article/opening-up-to-openid-with-spring-security quite helpful.

One caveat though is worth mentioning here: the Spring sample application does not work with Google and Yahoo OpenID (and probably many more). The reason is explained in the above article, just scroll down to “The OpenID user registration problem”.

For my sample application I didn’t implement registration just yet. So, when I used Google’s generic OpenID URL https://www.google.com/accounts/o8/id for the input field in openidlogin.jsp I was able to authenticate against my Google account but Spring complained as none of the user names listed in applicationContext-security.xml matched what Google returned. Quick-fix: check your application’s log file for “Verification succeeded for: https://www.google.com/acc”….That URL is the effective user name you should paste to applicationContext-security.xml.

Leave a Reply

Your email address will not be published. Required fields are marked *