What parts of discovery for google apps auth aren't to the open-id spec?

Question

In particular I'm interested in the verification of the claimed ID. Google's instructions talks about retrieving meta-data from the domain in the claimed ID which will contain a link to the XRDS document. For google apps that meta file would be found at

http://example.com/.well-known/host-meta or https://www.google.com/accounts/o8/.well-known/host-meta?hd=example.com

My question is are both of these host-meta paths a google augmentation to the spec or only the latter? We're trying to update one of the standard open-id libs to properly support this and we want to keep the code that supports the google augmentations appropriately separated.

I can't seem to find any reference to ".well-known/host-meta" in the open-id spec file.

Answer 1

The protocol itself is mostly standard -- e.g. /.well-known/host-meta is part of the LRDD spec for discovery. The catch with Google Apps has to do with the fact that few, if any, domains host their own discovery information, so trying to discover the provider for a domain like example.com would fail. So Google has an alternate location for the host-meta file, which OpenID RPs that want to support Google Apps need to be aware of.

Additionally, if you're verifying signatures on these outsourced XRDS files, you need to permit hosted-id.google.com as a valid signer. Normally you'd check to see that the signing certificate subject is the same as the domain you're discovering for, but since Google is signing on behalf of the target domain the additional check is needed.

On a related note, Google Apps support has already been added to a bunch of different libraries, either directly or via an add-on:

PHP: php-openid + http://code.google.com/p/php-openid-apps-discovery/

Ruby: ruby-openid + http://code.google.com/p/ruby-openid-apps-discovery/

.NET: DotNetOpenAuth (built-in)

Java: OpenID4Java + http://code.google.com/p/step2

Python: https://github.com/adieu/python-openid