Inconsistent usernames using Google as OpenID provider
This was going to be a question until I figured out the answer for myself!
I'm adding OpenID authentication to a small web app using Spring Security. Here's my config (minus the "beans" element):
The UserDetailsService is implemented (naively for the moment) like this:Code:<http> <intercept-url pattern="/css/**" filters="none" /> <intercept-url pattern="/images/**" filters="none" /> <intercept-url pattern="/index.htm" filters="none" /> <intercept-url pattern="/login.htm" filters="none" /> <intercept-url pattern="/welcome.htm" filters="none" /> <intercept-url pattern="/**" access="ROLE_USER" /> <logout logout-url="/logout.htm"/> <openid-login login-page="/login.htm" user-service-ref="myUserDetailsService"/> </http>
This all worked nicely using Verisign as the provider.Code:public UserDetails loadUserByUsername(final String username) { // Allow anyone who's authenticated to log in as a "user" return new User(username, "ignored", true, true, true, true, new GrantedAuthority[] { new GrantedAuthorityImpl("ROLE_USER") }); }
When I logged in using my Google account (using the generic Google OpenID of www.google.com/accounts/o8/id) the authentication process proceeded properly, i.e. Google prompted me to log in to Google, then my browser was correctly redirected to the secured view in my application that I originally requested. However, the username passed to the loadUserByUsername method (above) varied depending on which computer I logged in from. I was hoping this username would always be the same for a given Google user so that my UserDetailsService could use it to identify them.
The answer was to use the same host name from all client machines; Google generates a different identifier per user per realm. Because I was using http://localhost/myapp from the server's browser and http://server_name/myapp from another machine, Google saw these as different realms and therefore returned different IDs even for the same Google user.
Anyway, I hope this helps someone!
