I want users to my website to use Google Accounts to authenticate / sign in to my website. The primary use case being users will edit and generate content and we want to log ownership in a secure way. We are not interested in obtaining users Google data, we just want a means to authenticate users.
After googling, I came across some documentation, which seems to explain how to do this OpenID Connect (OAuth 2.0 for Login). But the documentation immediately says "Note: If you want to provide a “sign-in with Google” button for your website or app, we recommend using Google+ Sign-In, ...", which if you follow the link ultimately takes you to Google+ Sign-In.
What's the difference between these two pages of documentation? Why does the first tell you to go to the second while not saying the first is deprecated? Are both/either suitable for my use case? All it says is "we recommend" I want to know WHY, WHY do they recommend it?
UPDATE: I also found yet another link which seems to be documenting another approach https://developers.google.com/accounts/docs/OAuth2WebServer I think this is just for "Authorization" i.e. authorizing your app to make google api calls to get user data, so cannot be used for authenticating/sign-in.
BTW I'm building my website with a Scala Spray BE REST API & NG JS FE.
A comparison of the two is available here.
Google+ Sign-In with profile scope
Has Google client libraries for authenticating with OAuth 2.0, which includes support for Google+ and other Google services (like getting social information on a user). Also this can make implementing easier and requires less boiler plate code
Has the Google+ Sign-In button to simplify sign-in Has no pre-built widgets
Supports over-the-air Android installs
OAuth login is primarily just for authentication at a lower level, that is by making raw HTTP requests, no API.
OpenID Connect protocols (OAuth 2.0 login)
Google+ Sign-In supports OIDC interoperability if you configure with the openid scope and get the user profile using getOpenIdConnect.
OAuth 2.0 login supports OIDC directly. Use it for signing in users to apps that do not need social features and run on platforms not supported by Google+ Sign-In.
Related
I am writing a project that lets users implement login integration for multiple web services (e.g. Google, Facebook etc.) to his/her website. I see Facebook allows us to manually build a login flow. Using this I can code everything myself and also let users use the script just by configuring it a bit (like setting app_secret and app_id). I am looking for a similar thing in Google. I don't wanna use the SDK because if I do that for multiple OAuth providers, then I think I'll mess things a lot. I also want to keep the client (JavaScript) side code at a minimum. So, can I build a manual login flow for Google, as I can for Facebook?
This information is given on the following page: https://developers.google.com/identity/protocols/OAuth2UserAgent (select the OAUTH 2.0 ENDPOINTS tabs)
Some excerpts:
The OAuth endpoint is https://accounts.google.com/o/oauth2/v2/auth
Token is returned like this: https://oauth2.example.com/callback#access_token=4/P7q7W91&token_type=Bearer&expires_in=3600
You can validate the token by using the tokeninfo endpoint: https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=<access_token>
I'm writing an packaged app using javascript for google chrome web store and I need to identify the users e-mail. using Identity I've retrieved OAuth 2.0 token (by chrome.identity.getAuthToken() command). What next?
I've found this documentation but i'm afraid it can be used only for hosted chrome apps.
The above documentation can be used also in cases where the application only has a client-side presence. You can extract the email_address from the id_token (https://developers.google.com/accounts/docs/OAuth2Login#obtainuserinfo); that would be most efficient. Or you can use the access_token to retrieve the same data from the user_info endpoint, which requires another AJAX request (https://developers.google.com/accounts/docs/OAuth2Login#obtaininguserprofileinformation).
If you manage to configure the G+ Sign-In widget for your extension you'll find out that it simplifies these tasks considerably. Note that G+ Sign-In has been recently updated and works for all Google account users (including Google Apps users) whether or not they have signed-up for the Google+ service. See https://developers.google.com/+/ for more information.
We currently have a corporate portal in which users authenticate and get different page views based on their access level. We have been tasked with allowing them to click a Google Mail icon to sign them into their domain Google Mail Account. To do something like this, should we be looking in to oAuth or Open ID? Presently, they're already using their email and password to sign in.
From what we understand, Open ID requires their email and password to go to us, which we have; but will Open ID do what we're looking for?
Thank you.
Since your users have a Google Apps for Business email address already, I would suggest using the Google+ Federated Login feature-set. (You can learn more here: https://developers.google.com/accounts/docs/OpenID)
A quick snippet from the aforementioned link:
If you are planning to provide a “sign-in with Google” feature, we recommend using Google+ Sign-in, which provides the OAuth 2.0 authentication mechanism along with additional access to Google desktop and mobile features...[the] OpenID+OAuth Hybrid protocol lets web developers combine an OpenID request with an OAuth authentication request. This extension is useful for web developers who use both OpenID and OAuth, particularly in that it simplifies the process for users by requesting their approval once instead of twice.
You can find more on the Google+ Federated Login toolset and explore a sample application here: https://developers.google.com/+/
Hope this helps!
Should I use oAuth, for example LinkedIn or Twitter, as my signin mechanism for my app? It seems that most apps just use oAuth to connect other services to it, but they make you set up your own user/password after you use oAuth (including StackOverflow), and I'm not really sure why this is. Would love some insight here. Thank you.
Why not use OpenId, to allow people to sign into your application, without having to type any specific login/password ?
Quoting the corresponding wikipedia entry :
OpenID is an open, decentralized
standard for authenticating users
which can be used for access control,
allowing users to log on to different
services with the same digital
identity where these services trust
the authentication body. OpenID
replaces the common log on process
that uses a login-name and a password,
...
BTW, that's exactly how one logs-in on stackoverflow ;-)
OAuth purpose is not authenticating your users with your site, is letting your users allow you (the oauth consumer) access to their protected resources in other sites (oauth providers) like LinkedIn, Twitter, Google APIs etc.
For authentication, you should use OpenId as others have pointed
Twitter provides a Sign in with Twitter flow that is OAuth but provides a faster redirect if it is an existing user of your service and they are already authenticated with Twitter.
http://apiwiki.twitter.com/Sign-in-with-Twitter
If you are building a Twitter centric application this makes a lot of since to use and you won't have to implement an entire alternate authentication method like OpenID.
Be careful if you let users authenticate with both Twitter and LinkedIn as users will inadvertently create two accounts and need them to be merged.
Facebook and Twitter both have the "Login with Facebook/Twitter" APIs to actually allow users to login without having to create an account for your website. Both of them will return you a valid session that may (or may not) expire. So you actually wouldn't have to ask users to decide on a username/password, as you can fetch both from the APIs (you can not get the users email address when using Twitter though)
So why add those functions to your website?
Users are in general more likely to hit the "Login with ..." button than going through the whole mail address authorization process and entering their name, etc...
Linkedin only has OAuth for usage to its API. It will also depend on what type of language you are writing your webapp in, they should have premade wrapper libraries you could tap on to.
in many sites i can see
alt text http://img718.imageshack.us/img718/4633/15494794.gif
how i can do that
is must tell every company or what?
It's OpenID. You can implement it in PHP easily by looking for PHP OpenID Libraries/Classes.
See http://openid.net/add-openid/add-getting-started/ to get started on developing authentication with OpenID.
Unfortunately, Facebook and Twitter has a complete different set of authorization api and thus you cannot use OpenID for Twitter and Facebook. Instead you can use their API.