June 13th, 2014

Windows Azure ACS Google Authentication Broken or “The difference between a serious cloud service and Windows Azure ACS”

As you probably know, Google is migrating to Open Id Connect under the name of Google+ Sign-In, migration that I celebrate. As part of this process, they are deprecating a couple of endpoints and methods to authenticate.

As any serious cloud service, they have announced this migration long time ago, publishing an schedule that clearly specifies dates, features that will be deprecated and actions to take.

Last May 19, they closed the registration of new OpenId 2.0 clients, so existing clients will work until April 20, 2015 but you cannot register new clients.

Now, that is how a serious cloud service works, because when you provide a cloud service you must provide more than the service functionality, you must provide confidence and stability, having in mind that your customer’s systems will rely on you.

Now, as you know Windows Azure Access Control Service (now part of Windows Azure Active Directory) uses Google OpenId 2.0 as method to federate authentication with Google, and as you can imagine, they haven’t migrated to the new Google+ SignIn. That means that any ACS namespace that you have created after May 19 will have Google Authentication completely broken.

When you attempting to sign in you will see an error like this one:

Screen Shot 2014-06-13 at 1.41.43 AM

So, if you trusted on Windows Azure ACS, and your architecture requires to create ACS Namespaces (like a multi-tenant architecture for example) your systems will be broken.

It is really a pity, because I think that Windows Azure is a great platform, and it really surprised me coming from a serious company like Microsoft, but I think that I will think twice next time before trusting in a Windows Azure Service.

  • Alex Simons

    Leandro – this isn’t quite correct. Existing solutions using ACS will continue to work. You just won’t be able to create/register new namespaces. We are mid-way through porting ACS onto Azure AD. Once that port is complete, we will reopen it again.

    • Alex,

      Thank you for taking the time of reading and comment my article.

      I know that existent ACS namespaces will work, and I thought that it was clear on my article when I said “any ACS namespace that you have created after May 19 will have Google Authentication completely broken.”.

      Of course existent ACS namespaces work, because they are already provisioned on Google as OpenId clients, but the fact is that any existent architecture that requires to create ACS namespaces on the fly, for example a multi-tenant service that uses a namespace-per-tenant model, will have its Google Auth completely broken. (I’m using this example because it is a problem that I’m having right now)

      I’m working with ACS since it came out, and, with all its limitations, I like it, but I think in this case it broke the golden rule of a cloud service.

      As I said in my article, It is really a pity, because I think that Windows Azure is a great platform, but the treatment of this issue was inappropriate.

    • Tilo

      where do we find any MS timeline for this? ACS documentation still claim Google support http://azure.microsoft.com/en-us/documentation/articles/fundamentals-identity/

  • Dominic Tam

    Hi Leandro. I’m facing exactly the same problem. I have been looking for a way to change my codes (which currently uses ACS) so that it will support the new google OpenID connect way. Have you found a migration path or reference?

    Alex, you wrote “We are mid-way through porting ACS onto Azure AD. Once that port is complete, we will reopen it again.”. Did you imply that Azure Active Directory will support (or is currently supporting) Google OpenID Connect authentication? If this is the case, I will consider to change the my codes from ACS to Azure Active Directory.

    • Dominic,

      We were using ACS a Federation Provider in our platform, but we migrate to a custom solution. There is many ways to implement Google SignIn, depending on the platform you are using.

      As other option you can check http://auth0.com that will solve what ACS was solving for you!

      good luck!