Adam Dawes, Product Manager, Google
Jonathan Beri, Developer Advocate, Google
There’s never been a better time to become a relying party, and Google offers two tools to help developers do just that. Google Identity Toolkit makes it easy for a site to outsource its authentication system (including password login) and become a relying party to the most popular identity providers. Google+ Sign-In can create more engaging experiences in your app and drive more usage across devices.
Report
Share
Report
Share
1 of 42
Download to read offline
More Related Content
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identity Toolkit and Google+ Sign-In
1. Google Confidential and Proprietary
So you want to be a
Relying Party:
Google Identity Toolkit v3
Adam Dawes
July 9, 2013
http://goo.gl/8pA1v
2. Google Confidential and Proprietary
Google Identity Toolkit
● Challenges to getting out of the password business
● GITKit v3 Overview and UX walkthrough
● GITKit v3 Deployment
● What's coming
3. Google Confidential and Proprietary
Challenge #1:
I don't know how to get rid of my password db
4. Google Confidential and Proprietary
Challenge #2:
I need a complete solution for both passwords and IDPs
5. Google Confidential and Proprietary
Challenge #3:
I don't know how to 'slow roll' conversion to IDP sign-in
7. Google Confidential and Proprietary
GITKit v3 Key Features
● Migrate passwords to hosted authentication service
● Single integration point for multiple email IDPs and passwords
● Fine-grained controls for password to IDP conversion
● Streamlined login and new account UX without NASCAR
● Account management widgets
● Detection of security event in multi-session scenarios
8. Google Confidential and Proprietary
GITKit provides a complete auth solution across passwords
and multiple IDPs
Auth Engine
Password
Store
GITKit ID Token
Legacy
passwords
GITKit
APIs
Login
GITKit
15. Google Confidential and Proprietary
Account Chooser
● Addresses the NASCAR problem by
initiating login with an “account hint”
● Privacy-preserving HTML5 app with all
accounts stored locally
37. Google Confidential and Proprietary
GITKit Deployment - Overview
1. Register at the Google Developer Console
2. Modify your session management
3. Provide 4 endpoints: Callback, Home, Signout, and Lost-password
a. Home and Sign-out are easy.
b. Callback is just a one-line branch to GITKit handler code.
c. Lost-password is hard.
4. Customize the GITKit UI
5. Migrate your users and accounts
38. Google Confidential and Proprietary
GITKit Session Management - Basic
● You have to retrieve & validate the GITKit cookie; easy with a JWT
library.
● When your session is invalid, check the GITKit cookie and if it's
valid, load up a new session from it.
● If you notice it's a new user, use GITKit APIs to retrieve whatever
information GITKit has on that user.
39. Google Confidential and Proprietary
GITKit Session Management - Advanced
You can use GITKit to check if a multiply-logged-in user has changed
their password in another session.
1. Maintain a global per-user last-password-change timestamp.
2. Whenever the GITKit cookie changes, retrieve last-password-
change and update the timestamp. Also, extract and remember the
timestamp of the cookie itself.
3. For each transaction, check the GITKit cookie timestamp against
the last-password-change timestamp. If it’s earlier, end the session,
delete the GITKit cookie, and force re-authorization.
40. Google Confidential and Proprietary
Advanced Topics - Lost Password Handling
GITKit provides a CAPTCHA-protected password-change module. But
it requires significant work from you.
1. Register a “Service Account” for your app in the Developer
Console.
2. When you get the lost-password notification, use the Service-
Account flow to get an offline-access token for GITKit.
3. Use the token to retrieve a one-time code.
4. Email a special callback URL including the code to the user; when
they click it, the flow will complete.
41. Google Confidential and Proprietary
What's coming for GITKit
● Non-email IDPs starting with Google+ Sign-in
● Support for IDPs that offer additional scopes and web widgets that
use them
● Native library support for Android and iOS including interoperability
with libraries from other IDPs
42. Google Confidential and Proprietary
Questions?
Thanks!
Documentation
Google Search: 'Google Identity Toolkit'
Demo
favcolor.net/gat
Trusted Tester Sign-up
goo.gl/U3w3f
This deck
goo.gl/8pA1v