Google Auth not returning a consistent ID with IdentityServer4

Question

I'm having a go at setting up IdentityServer4, using Example 8_EntityFramework as a base.

The problem - Google auth does not seem to return a consistent ID that I can link back to my app.

Looking at this StackOverflow post, one user claims from the docs that the 'sid' will do it. However, If i restart the server and clear the cache, the SID comes back different (see below), so don't think it's trustworthy.

Following another train of thought, I tried setting the UserInformationEndpoint to 'https://www.googleapis.com/oauth2/v1/userinfo' but that fails completely.

Here's my code for the auth server startup.js - It's pretty much as standard in the example.

public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();

var connectionString = @"server={myserver};database=IdentityServer4.QuickStart;trusted_connection=yes";
var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;



// configure identity server with in-memory users, but EF stores for clients and scopes
services.AddIdentityServer()
    .AddSigningCredential(new X509Certificate2(@"{pathtocertificate}\{certname}.pfx", "{password}"))
    //.AddTemporarySigningCredential()
    .AddInMemoryUsers(Config.GetUsers())
    .AddConfigurationStore(builder =>
        builder.UseSqlServer(connectionString, options =>
            options.MigrationsAssembly(migrationsAssembly)))
    .AddOperationalStore(builder =>
        builder.UseSqlServer(connectionString, options =>
            options.MigrationsAssembly(migrationsAssembly)));

}

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
// this will do the initial DB population
InitializeDatabase(app);

loggerFactory.AddConsole(LogLevel.Debug);
app.UseDeveloperExceptionPage();

app.UseIdentityServer();

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme,

    AutomaticAuthenticate = false,
    AutomaticChallenge = false
});

app.UseGoogleAuthentication(new GoogleOptions
{
    AuthenticationScheme = "Google",
    DisplayName = "Google",
    SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme,
    Scope = { "openid", "email" },



    ClientId = "434483408261-55tc8n0cs4ff1fe21ea8df2o443v2iuc.apps.googleusercontent.com",
    ClientSecret = "3gcoTrEDPPJ0ukn_aYYT6PWo"
});

app.UseStaticFiles();
app.UseMvcWithDefaultRoute();

}

Google Auth Result 1

Clear cache and restart IdentityServer4 - ALL the keys change!

Does anyone know what hook i can use to match against in my resource servers (i.e. google ID abc always = my user xyz) please?

Answer 1

Following a discussion on the Gitter IdentityServer4 forum, it seems the issue related to example 8 using an in-memory user store.

I thought because the auth was external and some info is stored in the database, that in-memory store was irrelevant, but this was not the case.

Example 6 with AspNetIdentity wires everything up correctly and returns consistent ID's.