venkata kambhampaty (Migrated from SEC-2739) said:
It looks like google has changed they way openid authentication is done. My login page with openid works fine on one server whose domain is registered some time ago. Another server, whose domain is registered lately, I get the following stack trace.
I am using spring openid 3.2.5.RELEASE ans spring security 3.2.3.RELEASE
[http-bio-443-exec-5] DEBUG org.springframework.security.openid.OpenIDAuthenticationFilter - Failed to consume claimedIdentity: https://www.googleapis.com/plus/v1/people/me/openIdConnect org.springframework.security.openid.OpenIDConsumerException: Error during discovery at org.springframework.security.openid.OpenID4JavaConsumer.beginConsumption(OpenID4JavaConsumer.java:105) at org.springframework.security.openid.OpenIDAuthenticationFilter.attemptAuthentication(OpenIDAuthenticationFilter.java:125) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:57) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at edu.ncrn.cornell.ced2ar.valves.AccessControlValve.invoke(AccessControlValve.java:29) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) Caused by: org.openid4java.discovery.yadis.YadisException: 0x706: GET failed on https://www.googleapis.com/plus/v1/people/me/openIdConnect : 403 at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:411) at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:252) at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:232) at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:166) at org.openid4java.discovery.Discovery.discover(Discovery.java:147) at org.openid4java.discovery.Discovery.discover(Discovery.java:129) at org.openid4java.consumer.ConsumerManager.discover(ConsumerManager.java:542) at org.springframework.security.openid.OpenID4JavaConsumer.beginConsumption(OpenID4JavaConsumer.java:103) ... 34 more 2014-10-13 12:27:18,839 [http-bio-443-exec-5] DEBUG org.springframework.security.openid.OpenIDAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Unable to process claimed identity 'https://www.googleapis.com/plus/v1/people/me/openIdConnect' 2014-10-13 12:27:18,839 [http-bio-443-exec-5] DEBUG org.springframework.security.openid.OpenIDAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication 2014-10-13 12:27:18,839 [http-bio-443-exec-5] DEBUG org.springframework.security.openid.OpenIDAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@1b177df 2014-10-13 12:27:18,839 [http-bio-443-exec-5] DEBUG org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler - Redirecting to /denied
Comment From: eleftherias
It looks like there is a misconfiguration of the client when setting it up in Google. This StackOverflow question may be useful. I'm going to close this issue since the permission configuration is out of the control of Spring Security.