Google Data

Posted by Yariv Adan, Google Security Team

We are happy to announce an important enhancement to our recently launched OpenID endpoint. Google now supports the "Hybrid Protocol", combining OpenID federated login together with OAuth access authorization. Websites can now ask Google to sign-in a user using their Google Account, and at the same time request access to information available via OAuth-enabled APIs such as the Google Data APIs.

For example, the website www.Plaxo.com is an early adopter of the new service and has already released a beta version supporting it for some of its new users. Plaxo's UI provides both a richer sign-in offering, using the Federated Login OpenID API, and a simple and secure way to import their Google Contacts using OAuth. In the past, sign-in required multiple redirects between Plaxo and Google, and more importantly, multiple user approval pages, one for OpenID during sign-in and another for the OAuth access authorization request. No more!

The Hybrid Protocol allows Plaxo to encapsulate their OAuth authorization request inside the OpenID authentication request, letting Google know that the user wants to use both APIs. Google can now display a single approval page for both requests. Here is how the new user experience looks:

In their sign in page, Plaxo offers their users the option to sign in using their Google Account and import their Gmail Contacts.



The user is then redirected to the Google website and asked to confirm both sign in and access authorization requests.



Finally, the user is redirected back to Plaxo, where she is already signed in and her Google contacts are available. If it's the first time the user signed-in using the Federated Login API, an additional instructive window will be displayed to ensure that the next sign-in experience will be as easy and successful as the first.



Not only does the protocol allows a much better user experience as shown above, it also reduces the total number of browser redirects and roundtrips, reducing overall latency.
To learn more about this new API see http://groups.google.com/group/google-federated-login-api/web/oauth-support-in-googles-federated-login-api. To make it easier for you to use the new API, we created a collaborative Open Source project together with other major vendors where you can download open source implementations for your Relying Party component. You are invited to contribute your own code and suggested best practices to this website.

The Hybrid Protocol is a result of the ongoing effort by the OpenID and OAuth communities to make these protocols more useful for users and websites. Google is working together with the OpenID community to standardize the new protocol as a formal OpenID extension. If you want to help further these efforts and have an impact on what the next advancements are, you are welcome to join the OpenID and OAuth mailing lists.

If you're interested in looking at some code, check out our working sample using the Google Data PHP client library. The source code is available here.