27

I set up a project on my main domain example.com and then moved it to a subdomain sub.example.com

Now when I try to use the same (default ASP.NET MVC or on my Discourse forum) project with OpenId and click on the Google button to log in with my Google account it throws the following error -

  1. That’s an error.

    OpenID auth request contains an unregistered domain: http://sub.example.com

I have tried Googling that message but apparently I am one of the first four people to see it. Any ideas here?

PW Kad
  • 14,816
  • 7
  • 47
  • 82

7 Answers7

29

According to this page, Google closed registration to new OpenID 2.0 clients in May 2014 and will be shutting down the OpenID 2.0 service in April 2015.

The reason why some hosts work and some don't is that although Google isn't adding new hosts, you can still use the ones that are already registered.

UPDATE : Some people have asked for a simple explanation for how to fix this, or otherwise how to proceed.

Basically, you now have 2 options.

Use OAuth 2.0 (instead of openID protocols and older versions of OAuth)

or

Use Google+ login (which Google tried to "push" you towards)

For more details check the migration guide :

https://developers.google.com/+/api/auth-migration#userinfo

Mithun Sreedharan
  • 45,549
  • 69
  • 171
  • 232
Altryne
  • 461
  • 3
  • 7
  • 10
    Wow wtf? I just read that article but I am trying to understand why Google would do that... – PW Kad May 21 '14 at 15:49
  • 2
    They are consolidating all of the different access points to flow through Google+. Which is a huge let-down for us, as we need the ability to use multiple URLs, without registering them first with Google. – Altryne May 21 '14 at 15:57
  • If you use the javascript client, you can register origins instead of specific redirect URIs. – breno May 21 '14 at 17:05
  • so we have to use now OAuth2 (https://developers.google.com/accounts/docs/OAuth2)? Or which solution? I don't understand this table (so tired after 8h of work..) – whoah May 21 '14 at 17:28
  • @breno An explanation of this would probably make an excellent answer – PW Kad May 21 '14 at 21:16
5

I would like to add some context to this thread together with a potential solution to developers that are currently blocked.

Back in February we announced the deprecation of OpenID 2.0 (OID2) scheduled for April 2015. We also announced that new OID2 relying parties (RPs) registrations will no longer be accepted after April 2014.

Given that the API will be shut-down in less than a year’s time, our intention is to avoid having new RPs integrating with Google's OID2 API. Instead, we suggest to use our OpenID Connect API which we consider more secure and easier to implement.

Registrations were effectively closed on May 19th (as documented in the Google’s OID2 developer documentation). All RPs already using OID2 should not be affected by this the closure.

As for developers currently working on an integration with our OID2 API (presumably because they missed the announcement and warnings in our OID2 documentation), we will do our best to minimize the friction caused by the registration closure. If you are in such situation, please let us know by posting a registration request before June 15th. The post should contain a sample OID2 request used by your application, in case you prefer not to disclose such information, please post an email address and we will reach out. We plan to look into each case and try to get you unblocked in the best possible way.

OID2 does not have a registration procedure for RPs integrating with an identity provider. RPs are associated to the realm value (e.g., www.example.com) used when contacting Google OID2 API. Thus, a RP is considered "registered" if its realm value has been used to contact our OID2 API.

Cody Gray
  • 222,280
  • 47
  • 466
  • 543
Miguel Andres
  • 1,310
  • 9
  • 10
  • 12
    How does this change help the Internet? It's all well and good for Google's desire to mine more and more information from the Internet, but the great thing about OpenID is that it could be used by anyone. It's a wonderful thing. – MikeyB May 22 '14 at 00:50
  • This makes a big difference because OID2 didn't need each site to be registered via the API. Oauth2 and Google+ both need the realm to be already registered before invoking a login. – mordy May 23 '14 at 18:42
  • Hi Miguel, I've attempted to get in touch with you via that Google Group but my messages haven't been approved. – Alan Gerber Jun 02 '14 at 20:21
  • Hi Miguel, I am currently blocked by this, and my message to the Google group you linked to for posting a 'registration request' hasn't been approved for a week— are you able to approve it, and be in touch? – Alan Gerber Jun 05 '14 at 16:17
  • Hi Alan, I've contacted you to the address you provided via our Google Group. – Miguel Andres Jun 06 '14 at 16:25
  • I feel this is not answering the question at all. You need to give an answer aimed at the users, not at the developers. It is the end user, who decide she wants to use a particular ID provider to log in to a particular site, and it is that end user, who receive the error message. The site and the ID provider may have never heard about each other before this user wants to log in. What does that user need to do in order to log in? – kasperd Jun 27 '14 at 07:04
2

I had the identical problem but when using nodejs / expressjs

I have migrate my code using below url code and fixed that issue

Passport strategies for authenticating with Google using OAuth 1.0a and OAuth 2.0. https://github.com/jaredhanson/passport-google-oauth

Soren
  • 13,623
  • 4
  • 34
  • 66
Dev
  • 129
  • 9
2

You can easily change to OAuth 2, this article shows you how to register your app with Google and add the key to MVC. Scroll down to: "Creating a Google app for OAuth 2 and connecting the app to the project."

And you may need to add the Microsoft.Owin.Security.Google package via NuGet.

Garrett Fogerlie
  • 4,400
  • 3
  • 32
  • 55
  • @Gerrett Any link or example codes to upgrade to OAuth 2 in asp.net mvc 4 application? Can we simple create class simillar to asp.net mvc 5 start.auth.cs file in app_start and call it in application_start? I posted a question http://stackoverflow.com/questions/26127590/asp-net-mvc-4-use-oauth2-for-google – sanjeev Sep 30 '14 at 18:43
1

The sub-domains that fail are those that had never seen any user requests before. As per https://developers.google.com/+/api/auth-migration#timetable, Google is not allowing new domains in the OpenID2 API.

breno
  • 3,051
  • 1
  • 20
  • 12
0

I have this exact problem, we use googles login to run a platform, its a brand new problem.

A few things I have discovered if this helps

  1. Full domains trying to use openID never fail www.example.org and www.example2.com are not having this problem
  2. Subdomains on the platform have this problem sometimes, but the same subdomains always fail and the others always work.

It started around Monday and is still happening now.

mordy
  • 985
  • 8
  • 5
  • Thanks for the tips - it would be really nice to get some attention to this question to get a good answer - I can't bounty it until tomorrow – PW Kad May 21 '14 at 15:27
  • This is incorrect, it just happened that all full domains were registered and the subdomains were not, ignore this answer – mordy May 23 '14 at 18:50
0

Take a deep breath and just change Startup.Auth.cs file

            app.UseGoogleAuthentication();

to

    app.UseGoogleAuthentication(
     clientId: "000-000.apps.googleusercontent.com",
     clientSecret: "00000000000");

refer to the http://www.asp.net/mvc/tutorials/mvc-5/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on page.

Youngjae
  • 21,562
  • 14
  • 100
  • 182