Federated Login for Google Account UsersThird-party web sites and applications can now let visitors sign in using their Google user accounts. Federated Login, based on the OpenID standard, frees users from having to set up separate login accounts for different web sites--and frees web site developers from the task of implementing login authentication measures. OpenID achieves this goal by providing a framework in which users can establish an account with an OpenID provider, such as Google, and use that account to sign into any web site that accepts OpenIDs. This page describes how to integrate Google's Federated Login for a web site or application.
Google supports the OpenID 2.0 protocol, providing authentication support as an OpenID provider. On request from a third-party site, Google authenticates users who are signing in with an existing Google account, and returns to the third-party site an identifier that the site can use to recognize the user. This identifier is consistent, enabling the third-party site to recognize the user across multiple sessions. Google also supports the following extensions:
OpenID Attribute Exchange 1.0 allows web developers to access, with the user's approval, certain user information stored with Google, including user name and email address.
OpenID User Interface 1.0 supports alternative user experiences for the authentication process. The default experience requires the web application to redirect users away from the application site to Google's authentication pages. This extension allows web developers to open Google authentication in a popup window and includes favicon support for a smoother experience.
OpenID+OAuth Hybrid protocol lets web developers combine an OpenID request with an OAuth authentication request. This extension is useful for web developers who use both OpenID and OAuth, particularly in that it simplifies the process for users by requesting their approval once instead of twice.
PAPE (Provider Authentication Policy Extension) allows web developers to request other modifications to the flow, such as asking that Google reprompt the user for their password.
For more information on the OpenID framework, refer to the following specifications:
- OpenID attribute exchange
- OpenID user interface
- Hybrid "Step2" open-source project/Draft of OpenID OAuth extension
- PAPE specification