Google Developers Blog: openid

Saying goodbye to OAuth 1.0 (2LO)

Friday, April 22, 2016

Originally posted on Google Apps Developers Blog

Posted by Vartika Agarwal, Technical Program Manager, Identity & Authentication, and Wesley Chun, Developer Advocate, Google

As we indicated several years ago, we are moving away from the OAuth 1.0 protocol in order to focus our support on the current OAuth standard, OAuth 2.0, which increases security and reduces complexity for developers. OAuth 1.0 (3LO)¹ was shut down on April 20, 2015. During this final phase, we will be shutting down OAuth 1.0 (2LO) on October 20, 2016. The easiest way to migrate to the new standard is to use OAuth 2.0 service accounts with domain-wide delegation.If the migration for applications using these deprecated protocols is not completed before the deadline, those applications will experience an outage in their ability to connect with Google, possibly including the ability to sign-in, until the migration to a supported protocol occurs. To avoid any interruptions in service for your end-users, it is critical that you work to migrate your application(s) prior to the shutdown date.With this step, we continue to move away from legacy authentication/authorization protocols, focusing our support on modern open standards that enhance the security of Google accounts and that are generally easier for developers to integrate with. If you have any technical questions about migrating your application, please post them to Stack Overflow under the tag google-oauth.¹ 3LO stands for 3-legged OAuth: there's an end-user that provides consent. In contrast, 2-legged (2LO) doesn’t involve an end-user and corresponds to enterprise authorization scenarios such as enforcing organization-wide policy control access.

A final farewell to ClientLogin, OAuth 1.0 (3LO), AuthSub, and OpenID 2.0

Tuesday, April 21, 2015

Posted by William Denniss, Product Manager, Identity and AuthenticationSupport for ClientLogin, OAuth 1.0 (3LO¹), AuthSub, and OpenID 2.0 has ended, and the shutdown process has begun. Clients attempting to use these services will begin to fail and must be migrated to OAuth 2.0 or OpenID Connect immediately.To migrate a sign-in system, the easiest path is to use the Google Sign-in SDKs (see the migration documentation). Google Sign-in is built on top of our standards-based OAuth 2.0 and OpenID Connect infrastructure and provides a single interface for authentication and authorization flows on Web, Android and iOS. To migrate server API use, we recommend using one of our OAuth 2.0 client libraries.We are moving away from legacy authentication protocols, focusing our support on OpenID Connect and OAuth 2.0. These modern open standards enhance the security of Google accounts, and are generally easier for developers to integrate with.¹3LO stands for 3-legged OAuth where there's an end-user that provides consent. In contrast, 2-legged (2LO) correspond to Enterprise authorization scenarios such as organizational-wide policies control access. Both OAuth1 3LO and 2LO flows are deprecated, but this announcement is specific to OAuth1 3LO.

Reminder to migrate to OAuth 2.0 or OpenID Connect

Friday, March 20, 2015

Posted by William Denniss, Product Manager, Identity and AuthenticationClientLoginOAuth 1.0 (3LO)1AuthSubOpenID 2.0OAuth 2.0OpenID ConnectThe easiest way to migrate to these new standards is to use the Google Sign-in SDKs (see the migration documentation). Google Sign-in is built on top of our OAuth 2.0 and OpenID Connect infrastructure and provides a single interface for authentication and authorization flows on Web, Android and iOS.If the migration for applications using these deprecated protocols is not completed before the deadline, the application will experience an outage in its ability to connect with Google (possibly including the ability to sign in) until the migration to a supported protocol occurs. To avoid any interruptions in service, it is critical that you work to migrate prior to the shutdown date.If you need to migrate your integration with Google:

Migrate from OpenID 2.0 to Google Sign-in

Migrate from OAuth 1.0 to OAuth 2.0

For AuthSub and ClientLogin, there is no migration support. You’ll need to start fresh with OAuth 2.0 and users need to re-consent

If you have any technical questions about migrating your application, please post questions to Stack Overflow under the tag google-oauth or google-openid. ¹ 3LO stands for 3-legged OAuth: There's an end-user that provides consent. In contrast, 2-legged (2LO) correspond to Enterprise authorization scenarios: organizational-wide policies control access. Both OAuth1 3LO and 2LO flows are deprecated.

Welcome OpenID Connect

Wednesday, February 26, 2014

By Adam Dawes, Product Manager, Google Accounts TeamOpenID FoundationannouncedOpenID Connect

OpenID 2.0early version of OAuth 2.0 for Loginscopesendpointmigration timetableGoogle+ Sign-Inover-the-air installscross-device sign-onmigration guideAdam Dawes is a Product Manager on the Google Accounts Team where he is working to make it easy for users to share their data while maintaining full control over it. Outside the Googleplex, Adam enjoys exploring the outdoors with his family.Posted by Scott Knaster, Editor

Google+ Sign-In improvements

Wednesday, December 11, 2013

By Yaniv Yaakubovich, Product Manager, Google+Cross-posted from the Google+ Developers BlogGoogle+ Sign-In1. Support for all Google account types 2. Easy migration from other auth methods over-the-air installsinteractive postscross-device sign-insign-in migration guide3. Incremental authIncremental auth

If your app allows users to save music playlists to Google Drive, you can ask for basic profile info at startup, and only ask for Google Drive permissions when they’re ready to save their first mix.

Likewise: you can ask for Google Calendar permissions only when users RSVP to an event, and so on.

8Tracks only asks for the necessary permissions to get users started in their app.

Once in the app, 8Tracks prompts users to connect their YouTube account to get mix recommendations.

When users click ‘Connect Your YouTube account’, 8Tracks asks users for the additional YouTube permission.

Developing with Google+Stack Overflow+Yaniv Yaakubovich is a Product Manager on the Google+ Platform team, working on Google+ Sign-in. When he is not working he enjoys reading and exploring California with his wife and son.Posted by +Scott Knaster, Editor

Join us in London for an OpenID Workshop

Wednesday, March 7, 2012

By Eric Sachs, Senior Product Manager, Google Identity TeamUPDATEvisit the event siteUPDATE:OAuthOpenIDAccount Chooservisit the event sitesimilar event the previous day on identity security best practicesEric Sachs has been a product manager at Google since 2003. He is now involved with industry efforts to increase adoption of Internet Identity standards including OAuth and OpenID.Posted by Scott Knaster, Editor

Google’s sample OpenID relying party site

Monday, November 29, 2010

More and more websites are enhancing their login systems to include buttons for identity providers such as Google, Yahoo, Facebook, Twitter, Microsoft, etc. Users generally prefer this approach because it makes it easier for them to sign up for a new site that they visit. However if a user already has an account at a website, and they are used to logging in with their email and password, then it is hard to get them to switch to using an identity provider.Google has recently released a sample site that shows how a website can migrate users away from password based logins, and instead have them leverage an identity provider. This sample site incorporates many of the ideas of the Internet Identity community, as well as feedback from numerous websites who have been on the cutting edge of applying these techniques. The following video provides highlights of some elements of the user experience.

The sample site is at openidsamplestore.com, but we suggest first reading this FAQ which describes the site and has links to additional videos of some of the features. We hope website developers will use these techniques to reduce the need for passwords on their site.By Eric Sachs, Internet Identity Team

Simpler Access to Flickr for Google Users with OpenID

Thursday, October 28, 2010

OpenIDannouncedsimpler registrationannouncedInternet Identity WorkshopBy Eric Sachs, Internet Identity Team

Sign up with Google using OpenID

Tuesday, September 7, 2010

Some websites use the OpenID standard so that users don’t even need to type a password to sign in. While Google does not yet support the usage of OpenID for replacing passwords on its own sites, we are involved in the OpenID community’s efforts to research how to best implement that type of support.As a next step in those community efforts, we announced today the use of OpenID for the Google signup process.Currently, Google only offers this feature for Yahoo! users. However, as it is based on an Internet standard, we plan to use it in the future with other email providers that add support for this usage of OpenID and related standards like OAuth, such as in the Microsoft Live identity APIs.Other websites that need to verify a user’s email address can also implement this technique using Yahoo!’s OpenID API. In addition, it can be used to verify the addresses of Gmail and Google Apps users because those email systems expose the necessary APIs for OpenID. For example, Plaxo is one of the many websites that takes advantage of this feature of Gmail and Yahoo! Mail.By Tzvika Barenholz, Internet Identity Team

Hybrid Onboarding

Tuesday, November 3, 2009

main blogOpenIDOAuthPortable Contacts

OpenID User Interface Extension 1.0 (including the ability to display the favicon of the website)

x-has-session, which is an enhacement to checkid_immediate requests via the UI extension. If the request includes "openid.ui.x-has-session," it will be echoed in the response only if Google detects an authenticated session

Support for the US Government's GSA profile for OpenID

PAPE (Provider Authentication Policy Extension) to support forced password reprompts

Support for not only Google Accounts, but also our Google Apps customers, as discussed on the Enterprise blog

OpenIDHybrid Onboarding Guide

The technique is primarily for websites with an existing login system based on email addresses.

It also assumes the website will send email to users who are not yet registered, whether it is through traditional email marketing or social network invitations.

The website owner then needs to choose a small set of email providers such as Yahoo and Google that support these standards.

Whenever the website sends email to a user at one of those providers, any hyperlinks that promote registration at the website should be modified to communicate the email address (or at least domain) of the user back to the website's registration page.

If the registration page detects a user from one of these domains, it should NOT start the traditional process of asking the user to enter a password, password confirmation, and email. Instead, it should prominently show a single button that says "Sign up with your Google Account" — where Google is replaced with the name of the email provider.

If the user clicks that button, the website should use the OpenID protocol to ask the email provider to authenticate the user, provide their email address, and optionally ask for access to their address book using the hybrid OpenID/OAuth protocol and the Portable Contacts API. More details about this flow are available on the OpenID blog.

Once the user returns to the website, it can create an account entry for the user. The website can also mark the email address as verified without having to send a traditional "email verification" link to the user. If the website received the user's permission to access their address book, it can now download it and look for information about the user's friends.

In the unusual case where an account already exists for that email address, the website can simply log the user into that pre-existing account.

For any newly registered user, the website should then display a page that confirms the user is registered and that indicates how they should sign in in the future.

To make the login process simple, the website should modify their login box to include a logo for each of the trusted email providers it supports, or use one of the other user experiences for Federated Login.

If a user clicks the email provider button, they can again be sent to that provider's site using the OpenID protocol. When the user comes back, the website can either detect that they previously registered, or if it is a new user, the website can create an account for them on the fly.

In some cases the account may already exist for that email address, but it was not initially registered using OpenID. In that case, the website can simply log the user in to that pre-existing account.

By Eric Sachs, Product Manager, Google Security

Google Apps + OpenID = identity hub for SaaS

Tuesday, July 28, 2009

We're happy to announce that the Google OpenID Federated Login API has been extended to Google Apps accounts used by businesses, schools, and other organizations. Individuals in these organizations can now sign in to third party websites using their Google Apps account, without sharing their credentials with third parties.

In addition, Google Apps can now become an identity hub for multiple SaaS providers, simplifying identity management for organizations. For example, when integrated with partner solutions such as PingConnect from Ping Identity, the Google Open ID Federated Login API enables a single Google Apps login to help provide secure access to services like Salesforce.com, SuccessFactors, and WebEX — as well as B2B partners, internal applications, and of course consumer web sites. See Ping Identity's post to learn more about their implementation and view the demo.

Another early adopter is Manymoon.com, a SaaS project management vendor that implemented the Google Open ID Federated Login API directly to make it easier for any organization using Google Apps to sign up for and deploy Manymoon to their users:

In the Manymoon Login page, the user chooses to log in using a Google Apps account

The user types in his Google Apps email address. The user never gives away his Google Apps Account password to Manymoon.

The user is redirected to the Google Apps domain to approve sharing information with Manymoon.

Once approved, the user is redirected to Manymoon and is signed in and ready to work with selected accounts.

If you prefer an out-of-the-box solution, we have been working with JanRain, a provider of OpenID solutions that already supports the new API as part of their RPX product.

Supporting the API for Google Apps accounts is exciting news for the OpenID community, as it adds numerous new Identity Provider (IDP) domains and increases the OpenID end user base by millions. In order to allow websites to easily become Relying Parties for these many new IDPs and users, we defined a new discovery protocol. The protocol is designed to allow Relying Parties to identify that a given domain is hosted on Google Apps and to help provide secure access its OpenID Provider End Point. The current proposal is an interim solution, and we are participating in several standardization organizations, such as OASIS and the OpenID Foundation, to generate a next-generation standard. Since the current protocol proposal is not supported by the standard OpenID libraries, we provided an implementation of the Relying Party pieces at the Open Source project, step2.googlecode.com. Google is also offering a set of resources addressing the issues of designing a scalable Federated Login User Interface. You are welcome to visit the User Experience summary for Federated Login Google Sites page, where you can find links to demos, mocks, and usability research data.

You can find more details in our API and Discovery documentation, or join the discussions in the Google Federated Login API Group, where you can ask any question and get answers from other Identity Providers, Relying Parties and Google engineers.

The OpenID Federated Login Service is available for all Google Apps editions. However, it is disabled by default for the Premier and Education editions, and it requires the domain administrator to manually enable it from the Control Panel. We've enabled the service for our employees here at Google, and domain administrators — you can also enable it for your domain.
By Yariv Adan, Google Security Team

MySpace Open Platform: Connect MySpace users to your site and to your apps

Wednesday, May 20, 2009

This post is part of the Who's @ Google I/O, a series of blog posts that give a closer look at developers who'll be speaking or demoing at Google I/O. Today's post is a guest post written by Scott Seely, Architect for the MySpace Open Platform.Google I/OMySpaceIDMySpace Apps

SDKs for MySpaceIDMySpace AppsOpenSocialMySpaceID SDKMySpace AppsMySpaceID

“Building a Business with Social Apps” – Gerard Capiel, VP of Product for the MySpace Open Platform, will share his experiences on monetization of apps.

Developer Sandbox – Come by and see actual apps in action, try building an app on the spot, and talk to our developers.

Fireside Chat - Ask those hard questions, discuss approaches to problems, and think about the future with MySpace developers and the OpenSocial engineering team

Guest Post by Scott Seely, Architect for the MySpace Open Platform

Google OpenID API - taking the next steps

Thursday, May 14, 2009

announcedannounced in January 2009Google Data APIsPlaxopublished a presentation amazing 92% success rate OpenID User Interface Extension SpecificationJanRainRPX productUserVoiceJanRain's RPX

Open Source project

Google API DocumentationGoogle Data APIOpenIDOAuthBy Yariv Adan, Google Security Team

User Experience in the Identity Community

Tuesday, December 2, 2008

By Eric Sachs and Ben Laurie, Google Security TeamInternet Identity WorkshopsummaryupdatedarticlevideosGoogle Online Security Blog

Moving another step closer to single-sign on

Thursday, October 30, 2008

By Eric Sachs, Google Security Teamannouncedtoday's episode of thesocialweb.tvdirected identityDesigning a Login User Interfaceenterprise E-mail outsourcingresearch on combining rich-client apps with federated loginUX summitin a blog post hereOAuthOpenIDOAuthdescribedposted

Google moves towards single sign-on with OpenID

Wednesday, October 29, 2008

By Eric Sachs, Google Security Teamresearchuser researchwww.zoho.com

Open IDdiscussion grouponline registration formGoogle Data APIsPortable ContactsOpenSocial REST APIs

Usability Research on Federated Login

Friday, September 19, 2008

By Eric Sachs, Product Manager, Google SecurityOpenID Foundation

summaryget involved

Blog