1 of 16

Introduction to Google Identity Toolkit

Eric Sachs (esachs@google.com)

Youlin Li (youlin@google.com)

goo.gl/NPhFA

2 of 16

Why be a Relying Party?

As summarized in OpenID Retail Summit�

  • Higher customer registration and login success rates
  • Login sooner in the online process to allow targeted experiences and communcations
  • Increased referral traffic, search engine optimization, and brand projection by leveraging social networks
  • Collecting rich customer profile information
  • Improved mobile customer experience
  • Federated login across multiple websites

3 of 16

Hard part about being an RP

1. Use OpenID to improve the experience for EXISTING users

2. The use of OpenID should NOT increase per-user support costs

4 of 16

Google itself as an RP

  • Sept 2010: Google becomes a relying party for Yahoo! accounts for SIGNUP only (added AOL in Feb 2011)
  • Nov 2010: announcement of openidsamplestore.com -- a site that uses best industry practice to support federated login, account upgrades and other corner cases
  • March 2011: Google allows users to opt-in to federated login for Yahoo and AOL Accounts
  • April 2011: Hotmail support added
  • May 2011: Create Account Wizard launching on a subset of Google services

5 of 16

Google helping others be an RP

Visit openidsamplestore.com

Important: Read the FAQ to learn the hard parts

6 of 16

Google helping others be an RP

Today's announcement

  • The internal APIs Google uses to be an RP are being made available externally
    • Google Identity Toolkit
    • Targeted at websites who want to use OpenID but need it to work well for EXISTING users and LOWER help desk costs
  • The toolkit is a web-service like Azure ACS, Janrain, Ping Connect, ..
    • Janrain has a new offering for websites with similar needs.  There is a demo at login-helper.appspot.com

7 of 16

Introduction to Google Identity Kit

  • GIT is a set of tools that helps 3rd party sites to support federated login using industry standards (OpenID and OAuth)
    • Docs at sites.google.com/site/gitooldocs
  • The toolkit intends to minimize the work required for a site to become a relying party for major Identity Providers (IDP)
  • Major components
    • Two Google APIs that implement authUrl discovery, and IDP response verification
    • A Javascript widget for 2-tab login
    • A Javascript widget for account creation
    • Client side libraries (only Java and php now) that help with the new login logic and handles the callback
  • Free service

8 of 16

Looking for testers

Docs at sites.google.com/site/gitooldocs or goo.gl/4CXCp

We are looking for testers before fully launching the service.  To get access to the toolkit, contact esachs@google.com

9 of 16

Google Identity Toolkit Interaction Diagram

RP Login Page

GIT

Login Widget

Customshoes Backend Server

Database

User Table

DevConsole

code.google.com/apis/console

Apiary Request createAuthUrl

Apiary Request VerifyIDPResponse

Save/retrieve config

GIT components

RP components

GIT Client Library

Google Identity Toolkit Service

GIT Apiary Endpoint

GIT Server

Google Account Service

10 of 16

Support for basic use case -- GIT v1.0

Only supports major IDPs who own the email account, i.e. Yahoo, Hotmail, Gmail/Google App accounts, AOL

  • Signups with federated emails supported (with attribute exchange)
  • Logins with federated accounts supported
  • Upgrades to federated accounts supported
  • Also supports legacy account login with 2-tab login

11 of 16

Support for advanced use case -- GIT 1.5

V1.5 will support non-email IDPs and other more advanced features such as email changes and account linking (See openidsamplestore.com for the targeted user experience)

An Account Chooser style widget will be provided

It will also add support for data access by native/mobile apps as GIT will provide an OAuth based service provider for use by those apps

12 of 16

Demo

  • GAE app demo
  • Opencart demo

13 of 16

Summary of RP work required

  1. Register a Google account and login to devconsole to activate GIT and configure Javascript widget
  2. UI Changes
    • Modify the login page in your site to embed Javascript widget (also include a css file for the widget)
    • Modify account creation page to remove password field for federated account
  3. Add a field to account table to indicate if the account is federated
  4. Download GIT client library for supported platforms, and implement a few changes
    • Add API key to the callback servlet/page
    • Implement code to handle account creation and new login logic
    • Deploy new callback page and login page

14 of 16

Optional RP Work

  1. UI changes
    • Modify account management page that allows a user to change their email address
    • Modify account management page to remove the option for a user to modify password if it is a federated account
    • Add account creation wizard which imports attributes from IDPs for federated accounts
  2. Additional IDP support
    • Hotmail support: need to register client key and secretes on MSN web site and input into devconsole
    • Upload Yadis file to root directory to get rid of AOL RP discovery failure warning

15 of 16

How easy is it?

Our recent hackathon showed that it only takes about a few hundred lines of code change that uses the client library to integrate with GIT (including 2-tab login), and takes a few hours for one engineer to develop

Even less efforts if you just want to do it for account creation

Feel free to join a tutorial on table 10

16 of 16

REMINDER: Looking for testers

Docs at sites.google.com/site/gitooldocs or goo.gl/4CXCp

We are looking for testers before fully launching the service.  To get access to the toolkit, contact esachs@google.com