我正在尝试让 Google OpenID 返回openid.pape.preferred_auth_policies
以下链接中指定的内容:
https://developers.google.com/accounts/docs/OpenID#gsa
特别是,我希望http://www.idmanagement.gov/schema/2009/05/icam/openid-trust-level1.pdf
返回该策略,但无论我在请求中指定什么,Google 似乎都不会返回它(而且我在具有有效 SSL 证书的主机上)。我正在使用 simpleSAMLphp 并指定要返回的策略如下(并且也尝试了至少 4-5 种其他方式):
'http://specs.openid.net/extensions/pape/1.0' => array(
'max_auth_age' => 60,
'preferred_auth_policies' => 'http://www.idmanagement.gov/schema/2009/05/icam/openid-trust-level1.pdf',
),
对 Google 的请求如下所示:
openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ns.ext0=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.ax.mode=fetch_request&openid.ax.type.ext0=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ax.type.ext1=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ax.type.ext2=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.type.ext3=http%3A%2F%2Faxschema.org%2FnamePerson&openid.ax.type.ext4=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffriendly&openid.ax.required=ext0%2Cext1%2Cext2%2Cext3%2Cext4&openid.ext0.max_auth_age=60&openid.ext0.preferred_auth_policies=http%3A%2F%2Fwww.idmanagement.gov%2Fschema%2F2009%2F05%2Ficam%2Fopenid-trust-level1.pdf&openid.realm=https%3A%2F%2Ftw.socialidp.com&openid.mode=checkid_setup&openid.return_to=https%3A%2F%2Ftw.socialidp.com%2Fidp%2Fmodule.php%2Fopenid%2Flinkback.php%3FAuthState%<removed>https%253A%252F%252Ftw.socialidp.com%252Fidp%252Fmodule.php%252Fcore%252Fas_login.php%253FAuthId%253Dgoogleoid2%2526ReturnTo%253Dhttps%25253A%25252F%25252Ftw.socialidp.com%25252Fidp%25252Fmodule.php%25252Fcore%25252Fauthenticate.php%25253Fas%25253Dgoogleoid2%26janrain_nonce%3D2013-02-18T20%253A10%253A30Z3jP9G3&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.assoc_handle=<removed>
相关部分是:
&openid.ext0.preferred_auth_policies=http%3A%2F%2Fwww.idmanagement.gov%2Fschema%2F2009%2F05%2Ficam%2Fopenid-trust-level1.pdf
有人可以验证这是否正确吗?
此外,在上述 Google OpenID 页面引用部分的底部,Google 声明:
包含 http://www.idmanagement.gov/schema/2009/05/icam/openid-trust-level1.pdf 要求 Google 声明身份验证符合 OpenID 的 GSA 配置文件的安全要求。默认情况下,所有 Google 身份验证流程都提供这些安全功能,无论是否包含此特定策略 URL。
从阅读来看,似乎人们可以盲目地假设每次使用 OpenID 的 AuthN 尝试都在 LOA1 上,实际上没有必要从 Google 那里得到这个断言。这是一个正确的假设吗?