Reputation: 545
Google OpenIdConnect People
I implemented the client Side of OpenIDConnect authentication/provisioning/federation for few OAuth2-OpenIdConnect providers. But I fail to get Google OpenID People https://developers.google.com/+/api/openidconnect/getOpenIdConnect working.
I have no problem with the 1st part of OpenID Authentication/Authorization and get the Identity token from JSONWEBtoken without trouble. Nevertheless I fail to access the $identityApiUrl. The odd thing is that the old google's userinfo API works!!! Only the new one fails with an authorization error.
For PeopleAPI I used a Bearer token reusing the access_token, I got with my authorization request. Exactly like I do with the old API.
Here after a short extract from my code with the URL and scopes I used, as well as the error, I get when replaying manually with a curl the request.
Questions:
- Is there a special authentication method for OpenIdConnect People API ?
- Do I need to request special authorization in the application console ?
Extract from code with API's URL
// main IDP configuration URLs
protected $openidconnect = true; // Google supports OpenID-Connect
protected $authTokenUrl = 'https://accounts.google.com/o/oauth2/auth';
protected $accessTokenUrl= 'https://www.googleapis.com/oauth2/v3/token';
// I fail to get Google People OpenIdConnect API to work :(
//protected $identityApiUrl= 'https://www.googleapis.com/plus/v1/people/me/OpenIdConnect';
protected $identityApiUrl= 'https://www.googleapis.com/oauth2/v1/userinfo';
// OAuth2 action-1: getAuthUrl($state) build authorization token url
protected $scopes = ['openid','email','profile']; // request authentication & email
The error code, when replaying the request with curl
[apache@vz-bzh GeoToBe]$ curl -X GET -H "Authorization: Bearer ya29.5ABSl_75eP_zYFho_E-wVjPlZJc1XfY398HZqJjMxvRxBEWteLKZwNeh2v0BPwWuoH1iLpESeBQvFw" https://www.googleapis.com/plus/v1/people/me/openIdConnect
{
"error": {
"errors": [
{
"domain": "usageLimits",
"reason": "accessNotConfigured",
"message": "Access Not Configured. The API is not enabled for your project, or there is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your configuration.",
"extendedHelp": "https://console.developers.google.com"
}
],
"code": 403,
"message": "Access Not Configured. The API is not enabled for your project, or there is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your configuration."
}
}
Upvotes: 2
Views: 656
Answers (1)
Reputation: 54088
you need to enable the "Google+ API" under APIs & auth in the Google API console.
Upvotes: 4
Related Questions
- Relationship between Google Identity Services - Sign In with Google and User Authorization for Google APIs
- Does StackOverflow use OpenID Connect for Google log in?
- Open Identity and OAuth
- Google open id connect
- Google Sign-In or OpenID Connect
- OpenId Connect Questions -Authorization Code Flow (OAuth 2.0)
- Open ID 2.0 and Open ID Connect
- Google OpenID Connect conformance
- OpenID and Google
- Using Google's OpenID Connect as part of a SSO