OAuth Support in Google's Federated Login API
See the
Google OpenID documentation for updated information on using OAuth with OpenID
Sample Application and Code
Implementation Notes
- Like other OAuth consumers, web sites that wish to use the OAuth OpenID extension with Google's Federated Login API need to register with Google first, and obtain an OAuth consumer key and secret.
- In order to protect the user from rogue OAuth consumers, Google verifies that the consumer parameter in the OAuth extension equals the realm parameter in the OpenID request. If your web site has been using OAuth and OpenID with Google in the past, and has used a different consumer key (domain name) for OAuth request than the realm parameter in the OpenID request, you'll either need to register for a new consumer key that equals your realm, or change your realm so that it equals your consumer key. See the Sample OpenID Request above for a request example that sets the realm to http://www.example.com and the consumer key to www.example.com. The only exception is a realm of the form http://*.somedomain.com (or https://*.example.com), which will match the consumer key www.somedomain.com.
Notes for Existing OAuth Consumers
If you are an existing OAuth consumer, you will already posses a consumer key (your DNS domain name) and consumer secret with Google. The OAuth OpenID extension allows you to sign up new users without the need to create a username and password on your site, and without the need for additional approval round-trips (in addition to the OAuth approval round-trip that you're already using).
The easiest way to get started with the OAuth OpenID extension is to download a good OpenID library, and set up an OpenID Relying Party. Use your existing consumer key (your DNS domain name) as your realm, and choose an appropriate return_to URL within the realm. Note that user identities are tied to the realm you choose, so
choose carefully . If your consumer key is not an appropriate realm value, you need to register for another consumer key that matches your realm.
You will typically add a "log in with Google" button to your login page (there are
other options). When the user clicks that button, you should ask your OpenID library to start discovery on the URL
https://www.google.com/accounts/o8/id. Your OpenID library will let you add extensions to the OpenID request before you redirect the user to the endpoint discovered from that URL.
Add the OAuth OpenID extension to your request as outlined above. When receiving your response from Google, extract the request token from the response, set the request token secret to the empty string, and proceed with your existing OAuth library at the Access Token Request step.
Notes for Existing OpenID Relying Parties
If you are an existing OpenID Relying Party, you can now also access your users' Google data through OAuth, without the need for an additional approval round-trip. You will first have to
register your current realm as your consumer key. You will also have to download a good OAuth library, and set up an OAuth consumer.
You send the OpenID request to Google as before, except you add an additional extension to it (the OAuth OpenID extension), as described above. The response will contain a request token.
Your OAuth library will have an API call that allows you to exchange the request token for an access token (the "Access Token Request" step). That call will typically require (in some form or another) the consumer key and secret, request token and secret, and the access token request endpoint. The consumer key and secret are the values you obtained from the registration. The request token is the value obtained from the OpenID response, and the request token secret is the empty string. The access token endpoint is https://www.google.com/accounts/OAuthGetAccessToken.
Notes for Web Sites that are Both OpenID Relying Parties and OAuth Consumers
If you already use the Google Federated Login API, and are an OAuth Consumer to Google, you probably have all the software and keys you need to get started. You just need to make sure that your OAuth consumer key (your DNS domain name) matches your OpenID realm.
You send the OpenID request to Google as before, except you add an additional extension to it (the OAuth OpenID extension), as described above. When receiving your response from Google, extract the request token from the response, set the request token secret to the empty string, and proceed with your existing OAuth library at the Access Token Request step.
|
