Home/ Questions/Q 6188007
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T02:09:19+00:00

I’m trying to implement Google’s hybrid OpenID+OAuth login on a Google AppEngine site. For

  • 0

I’m trying to implement Google’s hybrid OpenID+OAuth login on a Google AppEngine site. For some reason, my login link only prompts the user to give login access via their Google account (OpenID). It does not ask for access to Contacts/Docs/etc (OAuth).

The example on Google’s site uses this URL for login:

https://accounts.google.com/o/openid2/auth?
openid.ns=http://specs.openid.net/auth/2.0&
openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select&
openid.identity=http://specs.openid.net/auth/2.0/identifier_select&
openid.return_to=http://googlecodesamples.com/hybrid/index.php&
openid.realm=http://googlecodesamples.com&
openid.mode=checkid_setup&
openid.ns.ui=http://specs.openid.net/extensions/ui/1.0&
openid.ns.ext1=http://openid.net/srv/ax/1.0&
openid.ext1.mode=fetch_request&
openid.ext1.type.email=http://axschema.org/contact/email&
openid.ext1.type.first=http://axschema.org/namePerson/first&
openid.ext1.type.last=http://axschema.org/namePerson/last&
openid.ext1.type.country=http://axschema.org/contact/country/home&
openid.ext1.type.lang=http://axschema.org/pref/language&
openid.ext1.required=email,first,last,country,lang&
openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0&
openid.oauth.consumer=googlecodesamples.com&
openid.oauth.scope=http://docs.google.com/feeds/+http://spreadsheets.google.com/feeds/+http://www-opensocial.googleusercontent.com/api/people/

Click here to visit link above

If you click the link, note how it prompts for access to Email/Country/Language, in addition to Docs and Contacts.

If I replace these 3 parameters with my values:

openid.return_to=http://2.myapp.appspot.com&
openid.realm=http://*.myapp.appspot.com&
openid.oauth.consumer=myapp.appspot.com&

It still displays the login page, but only asks for Email/Country/Language…no mention of Docs/Contacts.

The app domain is registered and verified with Google – am I missing something? If I implement OAuth separately and generate an auth URL for Docs & Contacts, it works fine…but I would really like to do everything in one step with this hybrid approach, if possible.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    For a hybrid request to be considered valid, the oauth2 consumer and the OpenID2 realm must ‘match’. In this case, the realm would match some value for consumer such as 2.myapp.appspot.com, but not myapp.appspot.com

    One possible solution would be to also register ‘2.myapp.appspot.com’ as your OAuth2 consumer.

    • 0