Google has recently added three important enhancements to our OAuth
support:
- The ability to use OAuth without
registration
- Support for software apps installed on a computer
or mobile phone
- Additional controls for our Google Apps Premier and
Education customers which allows administrators to give another web application access to a
subset of the data Google stores for that organization
Below is an
overview of each enhancement, or you can refer to our updated
OAuth documentation.
1. The
ability to use OAuth without registrationBased on consistent
feedback from our developers, we added the ability to use OAuth without having to register the
website ahead of time. This change is especially helpful for developers working on test
servers that cannot be accessed directly from the Internet.
2. Support for software apps installed on a computer or mobile
phoneMany of the larger enterprises that use the
Google Apps service
choose to run their own login system. They accomplish this by leveraging our support for the
SAML protocol which defines a way for Google to redirect
the user to the company's login system to be authenticated before accessing their mailbox at
Google. However, in this situation Google normally does not have a password for the
user — especially if the enterprise authenticates the user with a password and with a second
factor of authentication (such as a token generator they carry on a keychain). Unfortunately,
there are many installed software applications created by both Google and ISV developers that
use Google's APIs, and those applications are hardcoded to ask a user for their email and
password using Google's ClientLogin API. With this new OAuth feature, the software application
can now launch a web browser and start a process that both logs the user in through their
central SAML login system, and that also gets the user's consent to access their data hosted
at Google. Because the user authentication is done in the web browser, it will work with the
enterprise's existing login system. Google is encouraging any ISV that uses the
ClientLogin API to add support for this new OAuth flow, enabling usage by the large enterprise
customers described above. Google is also planning to enhance our
Google
Apps Sync for Microsoft Outlook to support this feature such that Outlook can be
used with both Google Apps and an enterprise's central login system.
3. Additional controls for our Google Apps Premier and Education customers which
allows administrators to give another web application access to a subset of the data Google
stores for that organization This feature for our Google
Apps Premier customers enhances our existing
OAuth for Google Apps domain
administrators, also known as 2-legged OAuth. This feature enables domain
administrators to allow specific IT apps or third party web services limited access to user
accounts via a centralized permissions system under the control of the domain
administrator. For example, with this new system, an administrator can use the Google
Documents API to configure every user in the domain to have a Google Docs folder named "Human
Resources" that is automatically populated with common employee forms. The company
might also sign up with an Enterprise SaaS vendor such as
Manymoon and specify that
Manymoon can access the Google Calendars of all of their users, providing tighter integration
with Manymoon's project scheduling features. Previously, this feature required giving the
third party vendor access to all of the data that Google stored for that organization, but
with this new feature, administrators can limit access to particular data sources (Calendar,
Documents, etc). Refer to our
documentation for more information.
By Eric Sachs, Product
Manager, Google Security
