Cross-Platform SSO technology
By Tim Bray, Google Identity Team
During the Android portion of the Google I/O keynote, we showed Cross-Platform Single Sign-On;
the effect was that for Wallet and Google+ users, signing in to a Web browser resulted in
automatic download of, and sign-in to, an Android app.
To support this, we have introduced general-purpose API tools which allow developers to
achieve cross-client authentication and authorization, in particular between Android and Web
apps.
Not having to sign in repeatedly feels so natural for users that they don’t even notice it.
But as more and more apps deploy this sort of magic, you don’t want to be the hold-out that’s
pestering users for passwords on Web sites or, worse, on tiny mobile-device keyboards.
On the Android side, client libraries like
PlusClient,
GamesClient, and WalletClient have “connect” methods that take care of this as automatically
as possible; they check whether any of the accounts on the phone have already been authorized
for access to the service in question, conduct sign-in if necessary but avoid it if possible,
and when they return to your code, everything’s all set up.
If you’re writing server-side code and using libraries like Google+ Sign-In, once again, all
the right things happen automatically; when you start accessing the service, the software
imposes the minimum necessary pain on the user, ideally zero, and lets you get to work.
Of course, some people want less automation, and finer control over how things work. If you
want to access our services at the HTTP level rather than via a library, or to deal with
multiple accounts on an Android device in a customized way, you can do these things and in
most cases still deliver the no-sign-in magic.
Of course, this involves working with HTTP message flows, validating tokens, and securing
shared secrets. This may sound intimidating but will be straightforward for one well-versed in
HTTP-level Web programming. If you’re one of those, check out the low-level protocols and APIs
that support this, in “
Cross-Client
Identity”.
The time is now to start moving your apps towards a sign-in-free future.
Tim says: By day, I help in the struggle against passwords on the Internet.
The rest of my life is fully documented on my
blog.
Posted by Scott Knaster,
Editor
