Google moves towards single sign-on with OpenID
By Eric
Sachs, Google Security TeamCurrently users are required to
create individual passwords for many websites they visit, but users would prefer to avoid this
step so they could visits websites more easily. Similarly, many websites on the Internet have
asked for a way to enable users to log into their sites without forcing them to create another
password. If users could log into sites without needing another password, it would allow
websites to provide a more personalized experience to their users.
In
September we announced some
research that we shared as part of an effort by the OpenID
community to evaluate the user experience of federated login. Other companies like Yahoo have
also published their
user research. Starting today, we are providing
limited access to an API for an OpenID identity provider that is based on the user experience
research of the OpenID community. Websites can now allow Google Account users to login to
their website by using the OpenID protocol. We hope the continued evolution of both the
technical features of OpenID, as well as the improvements in user experience. will lead to a
solution that can be widely deployed for federated login. One of the companies using this new
service is
www.zoho.com. Raju Vegesna at ZoHo says that "We now offer
all our users the ability to login to ZoHo using their Google Account to avoid the need to
create yet another login and password."
The initial version of the API
will use the OpenID 2.0 protocol to enable websites to validate the identity of a Google
Account user, including the optional ability to request the user's e-mail address. Below is an
example of the flow that a user might see if he or she starts at a website that uses this new
feature:
The website could use a modified login box that looks like the
one below. If the user enters a Gmail address and indicates that he or she does not have a
password for this site, then the site can redirect him or her to Google.
The user would then be taken to the Google website and asked to confirm whether he or she
wants to sign in to KidMallPics.
Finally, the user would be redirected back to KidMallPics, where he or she would be
immediately signed in.
More information about this new API can be found on the
Open ID page in
Google Code. To request access to the limited trial, please visit our Google Federated Login
discussion group
and register using the
online registration
form.
Google is also working with the open source community
on ways to combine the OAuth and OpenID protocol in the future. That way a website can not
only request the user's identity and e-mail address, but can also request access to
information available via OAuth-enabled APIs such as
Google Data
APIs as well as standard data formats such as
Portable Contacts
and
OpenSocial REST APIs. In the future, this should
allow a website to immediately provide a much more streamlined, personalized and socially
relevant experience for users when they log in to trusted websites.
