OpenID + OAuth

May 20, 2010 Appirio

Jeff Morgan

What are OpenID and OAuth
Authentication and authorization are commonly grouped together in the same conversation. OpenID and OAuth again are grouped together as they represent authentication and authorization respectively. While both OpenID and OAuth have been available as options to Google developers for a while, they now take on more significance with the introduction of Google Apps Marketplace. In fact, it is a requirement to use these two standards when integrating a web application with the Google Apps Marketplace.

OpenID is an emerging standard that provides authentication between a provider and a relying party (typically a web application.) In the context of Google Apps it allows a web application to use Google as the authentication provider. This federated authentication approach is commonly used to provide Single Sign-On (SSO) to another web application. The beautiful part of SSO is once a user has authenticated in their Google Apps domain access to any third-party Marketplace application in their domain is transparent.

There are two flavors of OAuth, two-legged and three-legged OAuth. While both are available for use by many Google Data APIs there are important differences that must be understood in order to know the best time to use each. Two-legged OAuth authorizes domain wide access to Google Apps domain user data at an administrator level. Three-legged OAuth authorizes access to only one user’s data by that user. In general, if you understand these main differences then making the decision to which OAuth option to use becomes easier. The Google Apps Marketplace supports two-legged OAuth since it makes sense to authorize access at the domain level by the administrator. Marketplace applications are available to all Google Apps domain users, no need for each user to grant authorization.

Bringing them both together is now also supported by Google. Sometimes referred to as the Hybrid Protocol, OpenID has been extended to support OAuth. While this may be useful in certain situations, this approach is now less relevant in the Google Apps Marketplace. The Marketplace manifest configuration file supports two-legged OAuth making the need to obtain an OAuth token during the OpenID process unnecessary. It is also important to understand this distinction when writing Marketplace applications because OpenID and OAuth are often grouped together, not just because of the hybrid option but because they by themselves play an important role in developing application on the Google Apps platform.

Learn More

Google IO Session
OpenID-based single sign on and OAuth data access for Google Apps

Resource Links
Implementing OAuth with Federated Login
OAuth Support in Google’s Federated Login API

Previous Article
Salesforce Chatter for Android
Salesforce Chatter for Android

Jeff Douglas This is an overview and demo of the application that I submitted for the Chatter Developer Cha...

Next Article
Give Us a Tip, Win a Book

In honor of Google I/O this week, our Google Center of Excellence (COE) team got together to lay out a few ...