Google apps login in django

Question

Hello world,

I'm developing a django app that integrates with google apps. I'd like to let the users login with their google apps accounts (accounts in google hosted domains, not google accounts) so they can access their docs, calendar, and whatnot.

In order to do it, I downloaded and started using django_openid_auth (and thus, python-openid).

First, to test it, I used this url in my settings:

OPENID_SSO_SERVER_URL = 'https://www.google.com/accounts/o8/id'

And with that I managed to redirect the user to the google accounts page to login and then to return to my own domain, with the authentication cycle described by the google folks successfuly completed. However, to login to google accounts is of little use for me, as I'd like the users who have a google apps account in their hosted domain -but not a google account- to login with. In order to do that, I read the google article on discovery " Discovering OpenID Endpoints for Hosted Domains", and changed the aforementioned setting to:

OPENID_SSO_SERVER_URL = 'https://www.google.com/accounts/o8/site-xrds?hd=<my-domain>.com'

-where, obviously, <my-domain> is my actual domain ;)

But the backend responded with the following message:

OpenID authentication failed: HTTP Response status from identity URL host is not 200. Got status 404

Debugging a little, I managed to find out that the code in python-openid (version 2.2.4) is the one that is misinterpreting the response from google, but I'm quite at loss here.

I have seen the authentication in my own domain work in socialwok.com and puffypoodles.com So I'm quite certain that the auth cycle for my google apps domain works, but somehow python-openid can't seem to complete it (though, and I reiterate, it works just fine with plain old google accounts).

Should I try to fix python-openid, or is there another way to fix this? Has anyone successfuly managed to login with google apps in a pure django app (not in google app engine)?

Answer 1

According to http://groups.google.com/group/google-federated-login-api/web/openid-discovery-for-hosted-domains, Google changed the way of IdP Discovery and user XRDS check a little bit to give Google Apps users openid in http://example.com/openid?id=108441225163454056756 kind of format without asking the users to build their own openid servers. For small companies, people can get their openid under their domain with as few as just a domain name if they use Google Apps.

This might be a good approach because people could use their Google Apps Account for the authentication, and they can still give out openids under their own domain which they could change the authentication backend for in the future. It is simple and extendable, but sadly it hasn't became the standard yet. So, if you use standard library like python-openid, you will encounter some problems.

To solve those problems, you have to patch python-openid yourself to follow Google's approach.

I ran into the same problem before and I have a patched version of python-openid v2.1.1 which works for me.

If you need, I could post my code after some cleanup. It was a quick patch, so don't expect too much :)