Google's OpenID Connect - different NameIdentifier

Question

I followed the steps to migrate my namespaces to use Google's OpenID Connect implementation in ACS.

When I receive my claims from ACS, I have the new Subject claim containing the new Google NameIdentifier as expected. However, the "old" id in the NameIdentifier claim is not the same as the NameIdentifier I was receiving with Google OpenId 2.0.

The value of  the NameIdentifier which I get from ACS depends on value "Use Google Open ID Connect" which is set in Windows Azure Management portal 

Any idea what can cause this?

Answer 1

Hi,

Thanks for posting here!

Google’s OpenID 2.0 and OpenID Connect implementations use different identifiers to uniquely identify Google users. When you migrate your ACS namespace, ACS makes two identifiers, both the current OpenID 2.0 identifier and the new OpenID Connect identifier, available to your application. You must switch your users’ identifiers in your backend system to OpenID Connect identifiers by this date, and start using only OpenID Connect identifiers going forward. This requires application code changes.

For more information see this link: https://msdn.microsoft.com/en-us/library/azure/dn927169.aspx?f=255&MSPPError=-2147217396

Hope this helps!

Best Regards,

Sadiqh

Answer 2

This is a known issue that the ACS product team is investigating. We should have more details soon on this. Apologies for the inconvenience.

Answer 3

Can you please check this now to see if the nameIdentifier issue is resolved?

Answer 4

It works now. Thank you