Google OpenID Authentication is broken

Google recently changed its openid system, and now logins to kunagi via google openid are failing.

Below are two relevant links:

Statement from Kunagi Team

Error was client-related. See comments for details.


Issue is closed.


Tue, Apr 30, 2013, 08:22 by Witek (SM,T)

It works for me on all our servers. Perhaps Google changed it back to support the common OpenID standard? Can someone confirm this?

Tue, Apr 30, 2013, 23:07 by David

It's not working on my server.

Kunagi version 0.24.4

No recent changes since the time openid login last worked.

Upon attempting authentication, the following screen is presented:

This has been the case for several days now.

Wed, May 1, 2013, 12:55 by Witek (SM,T)

Can not reproduce the problem. Can you please try your authentication on our demo server? -> Does it work for you?

Please compare the URLs of our demo server and yours. Any differences?

Wed, May 1, 2013, 16:12 by David

Yes, the demo server does work, and the openid urls are different between the demo site and mine, how odd! I *am* using the same google account as always.

Wed, May 1, 2013, 22:20 by David

I tried swapping out the openid urls, but the one used on the demo site does not enable authentication on my server, which makes sense, since the openid protocol manages authentication on a per-client basis.

If the demo still works, that indicates that perhaps the google change has not broken kunagi.

My install still does not authenticate though. Is there something simple that I can do to turn on logging or some kind of verbosity for the authentication process?


Fri, May 3, 2013, 19:19 by David

I have verified that my problem was *not* kunagi related.

The tomcat server logs contained the following three messages toward the end of the failed authentication:

> Verifying nonce
> Nonce is too old
> Nonce verification failed.

And, thus, the reason authentication failed was mis-aligned system clocks between google and my server.

I made sure that NTP was updating my server time correctly, and voila! Openid authentication works again!

Thanks guys!

Sun, May 5, 2013, 00:42 by artjom (PO,T)

Thank you your feedback. I've marked the Issue as solved.

Post a comment