The document discusses cross-platform authentication using Google+ Sign-In. It covers how Google+ Sign-In provides a trusted authentication solution that works across devices and platforms. It also outlines the key features of Google+ Sign-In including secure authentication, learning about users with consent, and single sign-on across devices. The document then details how Google+ Sign-In can be implemented on web, Android, and iOS platforms including setting up projects, integrating authentication libraries, and handling the sign-in process. It concludes with best practices, common pitfalls to avoid, and resources for learning more.
7. What is Authentication?
αὐθεντικός (greek):
!
“that comes from the author” /
authentic /original /genuine
Authentication:
!
The act of confirming the truth of
an attribute of a datum or an
entity.
datum or an entity.
12. On the shoulders of Giants…
https://www.flickr.com/photos/govwin/5609940697/
Use an identity provider
• Easier for you
• Easier for the user
• Established, trusted brand
• Focus on your business model
(rather than re-inventing the wheel)
http://www.nasa.gov/centers/dryden/images/content/690557main_SCA_Endeavour_over_Ventura.jpg
15. Google: trusted brand
2-factor verification, using your phone
Works alongside existing sign-in systems
Secure Authentication
Google+ Sign-in Features
Learn more about your users (with their consent)
16. Sign-in to web site
Cross-Device Single Sign-on and Over-the-Air Install (OTA)
Google+ Sign-in Features
17. Sign-in to web site
Cross-Device Single Sign-on and Over-the-Air Install (OTA)
Google+ Sign-in Features
18. Sign-in to web site
Cross-Device Single Sign-on and Over-the-Air Install (OTA)
Google+ Sign-in Features
19. Sign-in to web site
Cross-Device Single Sign-on and Over-the-Air Install (OTA)
Google+ Sign-in Features
OTA consent dialog
20. Sign-in to web site
Cross-Device Single Sign-on and Over-the-Air Install (OTA)
Google+ Sign-in Features
OTA consent dialog
OTA installation
21. Sign-in to web site
Cross-Device Single Sign-on and Over-the-Air Install (OTA)
Google+ Sign-in Features
OTA consent dialog
OTA installation
22. Sign-in to web site
Cross-Device Single Sign-on and Over-the-Air Install (OTA)
Google+ Sign-in Features
OTA consent dialog
OTA installation
Auto signed in on other device
23. Sign-in to web site
Cross-Device Single Sign-on and Over-the-Air Install (OTA)
Google+ Sign-in Features
OTA consent dialog
OTA installation
Auto signed in on other device
28. Developer Console Project
Setting up
https://developers.google.com/console
APIs
Credentials
iOS Client ID
Android Client ID
Web Client ID
Branding
Permissions
Management
29. Developer Console Project
Setting up
https://developers.google.com/console
APIs
Credentials
iOS Client ID
Android Client ID
Web Client ID
Branding
Permissions
Management
One project, multiple clients
30. Developer Console Project
Setting up
https://developers.google.com/console
APIs
Credentials
iOS Client ID
Android Client ID
Web Client ID
Branding
Permissions
Management
One project, multiple clients
Authorization is granted to
your application, not a specific
client!
* Single user consent across
devices
* Cross-Device Single Sign-on
* Available for Web &
Android
31. You Google
The Auth Triangle
Connecting lines
need authentication
Client
Server
Google APIs
34. Create OAuth 2.0 client ID
Link with Google Play Services API
Setup Sign-In
Overview
Client Authentication: Android
35. SDK Architecture
Client Authentication: Android
iOS
Your App
Google APIs
Google Play
Client Library
Google Play
Services APK
Authorize using existing
accounts on Android device
37. Handle connection failure
Client Authentication: Android
public void onConnectionFailed(ConnectionResult result) {
if (!mIntentInProgress && result.hasResolution()) {
try {
mIntentInProgress = true;
startIntentSenderForResult(result.getResolution().getIntentSender(),
RC_SIGN_IN, null, 0, 0, 0);
} catch (SendIntentException e) {
// The intent was canceled before it was sent. Return to the default
// state and attempt to connect to get an updated ConnectionResult.
mIntentInProgress = false;
mApiClient.connect();
}
}
}
Java
38. Handle connection failure
Client Authentication: Android
public void onConnectionFailed(ConnectionResult result) {
if (!mIntentInProgress && result.hasResolution()) {
try {
mIntentInProgress = true;
startIntentSenderForResult(result.getResolution().getIntentSender(),
RC_SIGN_IN, null, 0, 0, 0);
} catch (SendIntentException e) {
// The intent was canceled before it was sent. Return to the default
// state and attempt to connect to get an updated ConnectionResult.
mIntentInProgress = false;
mApiClient.connect();
}
}
}
Java
User needs to select account, consent to permissions, ensure
network connectivity, etc. to connect
39. Connection successful
Client Authentication: Android
public void onConnected(Bundle connectionHint) {
// Retrieve some profile information to personalize our app for the user.
Person currentUser = Plus.PeopleApi.getCurrentPerson(mApiClient);
// Indicate that the sign in process is complete.
mSignInProgress = STATE_DEFAULT;
}
Java
44. Create own button / use action sheet / …
// trigger sign-in
[[GPPSignIn sharedInstance] authenticate];
Objective-C
Silent sign-in if user has signed in before:
// silently sign in
[[GPPSignIn sharedInstance] trySilentAuthentication];
Objective-C
Perform Sign-In, Option 2 (create your own button)
Client Authentication: iOS
46. Create OAuth 2.0 client ID
Include JavaScript client on your web page
Add Google+ Sign-in button
Handle callback
Overview
Client Authentication: Web
49. function onSignInCallback(authResult) {
if (authResult['access_token']) {
// Successfully authorized
} else if (authResult['error']) {
// User is not signed in.
}
}
JavaScript
Handle authorization callback
Client Authentication: Web
51. One-Time-Code Flow
C
li
e
n
t
S
e
r
v
e
r
Google
APIs
1: Client-side auth request
2: OAuth dialog
triggeredOAuth
2.0
Dialog
3: access_token,
one-time code,
id_token
4: one-time code 5: exchange one-time codefor access_token andrefresh_token
6: access_token,
refresh_token
7: “fully logged in”
53. function signInCallback(authResult) {
if (authResult['code']) {
// Send the code to the server
$.ajax({
type: 'POST',
url: 'plus.php?storeToken',
contentType: 'application/octet-stream; charset=utf-8',
success: function(result) {
// Handle or verify the server response if necessary.
console.log(result);
} else {
$('#results').html('Failed to make a server-side call.');
}
},
processData: false,
data: authResult['code']
});
} else if (authResult['error']) {
console.log('There was an error: ' + authResult['error']);
}
}
JavaScript
Handle authorization callback
Server Auth: One-Time Code
54. $code = $request->getContent();
!
// Exchange the OAuth 2.0 authorization code for user credentials.
$client->authenticate($code);
!
$token = json_decode($client->getAccessToken());
!
// Verify the token
...
!
// Store the token in the session for later use.
$app['session']->set('token', $client->getAccessToken());
$response = 'Successfully connected with token: ' . print_r($token, true);
PHP
Exchange one-time code
Server Auth: One-Time Code
56. Best practices and Common Pitfalls
Common Pitfalls
Guidelines
Best practices
Useful resources
57. Guidelines
• Use our client libraries (they’re well debugged) instead of rolling your
own HTTP requests
• Provide a way for the user to sign out / disconnect your app
• Use “Sign in with Google” when labelling your sign in buttons. Don’t use
“Sign in with Google+”
• Equal rights to everyone: sign-in buttons should be equally sized for all
networks you support
• Ask only for permissions you really need. Also, consider using
incremental auth - this will likely increase sign-up rates.
58. Pitfalls: iOS
• Not providing a URL type for callback
• Not providing the ApplicationDelegate
application:openURL:sourceApplication:
annotation: callback or failing to call
GPPURLHandler
handleURL:sourceApplication:annotation
59. Best practices and Common Pitfalls
deprecated)
Use Stop using
profile
(for basic login)
https://www.googleapis.com/auth/userinfo.profile
plus.login
(if you need more info about a user. Includes profile)
email
(the user’s email address)
https://www.googleapis.com/auth/userinfo.email
62. • Do not build your own authentication system
• Google+ makes authentication easy
• Authentication models depends on architecture
• Learn more: check out our Quickstarts at
https://developers.google.com/+/ and
https://github.com/googleplus
Cross-Platform Auth With Google+ Sign-in
Review