Google Apps as single authentication point for your corporate applications

This is an update to my post “Google Apps Premier federated login with PHP“. Idea is simple, users do not like passwords, less passwords – less pain and more security.

Nowadays many companies have gone cloud, which covers most needs, but leaves space for homegrown small applications, ideas, prototypes, etc. It is convenient to organize user login into these applications using already existing Google Apps login infrastructure.

This is about using it with PHP.


Since previous post, I’ve updated PHP library used to the latest versions and tested them again. Also I rewrite bundled example to work in more transparent way and made it more clear.

Libraries version

Online demo


All-in-one-pack includes libraries and example


Unpack, make sure make TMP folder with sub-folders are writable.

It requires php_curl and php_openssl extension, make sure you have those.

Example code


  1. This is awesome, just what I wanted.

    I didn’t want to understand the openID auth process, and I didn’t want my users registering.


  2. Hi I tried your code but it gives me the following error. Can you please help in solving this ?

    Fatal error: Error while attempting OpenID discovery: Can not verify trust chain. in /home/neolearning/www/google/Auth/OpenID/google_discovery.php on line 101

    Anantha Prasad

  3. I’ve Given 777 mode to tmp folder and subfolders. still it gives the same error. then I tried commenting that
    /*if (!$trusted) {
    throw new GApps_Discovery_Exception(“Can not verify trust chain.”);

    then it gives “OpenID authentication failed: Nonce already used or out of range” error
    Can you please help ?

    Anantha Prasad

  4. Great solution – thanks a lot!

    Just a little bugfix – the url of the return server is wrong when using https – brackets are missing. Here is the correct line of code:
    $config[‘return_server’] = ($_SERVER[“HTTPS”]?’https://’:’http://’).$_SERVER[‘SERVER_NAME’].”:”.$_SERVER[‘SERVER_PORT’];

  5. Help! Any idea how this code could be updated to request the user’s profile picture as well? Having problems working this in.

  6. it doesn’t work now, i have a php error
    “Parse error: syntax error, unexpected $end in C:\wamp\www\ga-open-id\index.php on line 175”
    do u know what is the problem? it’s look like easy.

  7. Oh thank constantin! i have an other error now but i can read clearly. thank for your quick answer!

  8. An error in the GoogleAppsAuthentication.php code for MediaWiki 1.17.0. On line 98 $wgOut->redirect($url.”?action=purge”); //action=purge is used to purge the cache

    should read

    $wgOut->redirect($url.”&action=purge”); //action=purge is used to purge the cache

    Just the & instead of the ?. Not much of a coder so not sure if this is a problem for everyone.

    Thanks a lot for this solution. It worked brilliantly. Only took me 15 minutes to completely set up. And i am no computer guru.

  9. Also a question. Our company has a number of Google Apps domains. (e.g.,, Is there any way to allow the user to login under alternate domains?


  10. Also some tips about administration.

    Once you set this extension up you cant login as Admin (as far as I am aware) as it always wants you to login under a google apps account. This means you cant change the permissions for the users. Then if you disable the extension to change the permissions of some of the new google apps users (e.g. you hit the problem that MediaWiki doesnt like the @ symbol when using the Special:UserRights page. To overcome this you need to add $wgUserrightsInterwikiDelimiter = ‘#’; to the LocalSetting.php file to change it from using the @ to redirect to external wikis to using a # instead. Then you need to give some google apps users admin rights. Then enable the extension. Then it all works fine.

    Sorry for the poorly written comment. I am in a hurry.

  11. I have met error below. I don’t know why. Please help me about this.

    Fatal error: Call-time pass-by-reference has been removed in C:\xampp\htdocs\test\ga-open-id\Auth\OpenID\Consumer.php on line 1184

  12. I found that pass-by-reference feature has been removed in 5.4 . But it seems to work without this.

    Just remove the “&” sign on line 1184. So it would become “$this->fetcher);” and try again!

  13. I am using trying to implement this plugin in localhost.

    But i am getting this error: “Auth request object error. Try again”

    Please help me..

  14. The error in these lines:

    Deprecated: Call-time pass-by-reference has been deprecated in C:\wamp\www\mediawiki-1.20.2\extensions\GoogleAppsAuthentication\Auth\OpenID\Consumer.php on line 1184

    Deprecated: Call-time pass-by-reference has been deprecated in C:\wamp\www\mediawiki-1.20.2\extensions\GoogleAppsAuthentication\Auth\Yadis\Manager.php on line 416

  15. Hi,
    Thank You for your reply.

    I got no error but still it is not working.

    it is showing “Auth request object error. Try again” error.

    Please help me with this also.

  16. Hi,
    I have problem with Wikimedia GoogleAppsAuthentifucation Extension, I use php-5.3.21 and apache 2.4.3
    I follow your guide step by step, I have fixed all “Call-time pass-by-reference” Errors , but I still have this Error :
    Fatal error: Failed to initialize OpenID file store in /var/www/opuntia/extensions/GoogleAppsAuthentication/tmp in /var/www/opuntia/extensions/GoogleAppsAuthentication/Auth/OpenID/FileStore.php on line 72

    Could any one help me please !

  17. how would I go about redirecting the user to which would bring them to their google app mail or any other service or directory once the login is successful. I noticed in the code that you’re calling up the results but what would I need to delete and input to direct to another directory instead?

  18. thanks Constantin for your answer
    I did chmod -R 0777 /tmp but i still have another error ” Auth request object error. Try again ”

    I can’t understand what is the problem,
    Note : I use Wikimedia GoogleAppsAuthentifucation Extension, php-5.3.21 and apache 2.4.3 .
    the Script test of OpenId give “success setup” that means that my php supports well the OpenID Library .
    Could you help me ?

  19. Hello , I have resolved the prb of “”Auth request object error. Try again ”””

    it was due to the lack of php extension requirements to be able to use OpenId API , I have used Curl with php but it was not enough and when I have used OpenSSl php extension the problem was resolved !
    best regards !

  20. Hey,

    Thanks for the work! I had troubles with Auth/Yadis/Manager.php not compiling, the solution for me was to change line &$fetcher to just $fetcher around line 416 in call_user_func()

  21. Heya i’m for the first time here. I came across this board and I find It really helpful & it helped me out much. I am hoping to offer one thing back and aid others such as you helped me.

  22. I have this error: “Fatal error: Error while attempting OpenID discovery: Can not verify trust chain.”

    I found that in row 441: $trusted = openssl_x509_checkpurpose($cert, X509_PURPOSE_ANY, $this->trust_roots, $untrusted_file);

    $this->trust_roots is array(1) { [0]=> string(73) “/Users/uuu/Sites/aaa/login/Auth/OpenID/ca-bundle.crt” }

    But there is not such file on my server!

    Can you help me?

  23. I migrated a mediawiki over to a new server. After turning on error print outs in PHP, there was a problem in line 416 of Manager.php. The fix that Will reported above worked! I have no idea why there was a & character in there but that seemed to fix it…thanks!

  24. Get used to it, Anne, it’s the way of the world now. I think it’s a good thing to know who people are on the ienertnt. We can have lots of people commenting if they use OpenID. If they don’t want us to know who they are, then they won’t be posting. It’s decision that may make more sense as we drift into a tremulous future.

Leave a Reply

Your email address will not be published.