14

I am trying to support "Hybrid" Federated Login and oAuth2 (using logic from this document) for a webservice which will:

  1. support Sign in using your Google account on my site. That is, from the documentation: You can also choose to use Google's authentication system as a way to outsource user authentication for your application. This can remove the need to create, maintain, and secure a username and password store.
  2. Access the user's Google Analytics.

Here are the steps I have done.

  1. I form my request to https://accounts.google.com/o/oauth2/auth with the scopes (Google Analytics) I want access to.
  2. I Get redirected to google where it has my icon and which scopes I am requesting access to. I grant access.
  3. I get redirected back to the callback page.
  4. I get the tokens (access and refresh), as well as a huge id_token string (which I don't know) and store all of this information in my database.
  5. I then make a call to https://www.googleapis.com/oauth2/v1/userinfo?access_token=xxxyyyzzz to get the user's email and name and store this information in my database too. I also notice it returns a id field which to my knowledge never changes and I presume is some sort of unique identifier. I store this too.

Question: If I go to Authorized Access to your Google Account section in my Google account, it shows that my site has access to "Google Analytics. BUT, it does not say Sign in using your Google account. This is what I am trying to accomplish. I would have thought using the logic would enable Sign in using your Google account. What am I doing wrong? And what would be the applicable call to google so that users can sign in to my site?

M Schenkel
  • 6,294
  • 12
  • 62
  • 107
  • do you want the user to auto login them-self if they log-out from your application? – Umesh Awasthi Dec 07 '11 at 13:57
  • If they log-out from my application they will click a "Sign in with Google" button to get back in. This will then redirect them to Google to "authenticate" against my site. They then are bounced back to my site and are logged-in. – M Schenkel Dec 07 '11 at 15:39
  • 1
    I am now confused what exactly is your question :) – Umesh Awasthi Dec 07 '11 at 15:44
  • I edited the question so that hopefully it will make more sense. Check it out now. – M Schenkel Dec 11 '11 at 01:46
  • 1
    If you go through steps 1-5 above, you've logged in via Google. If you then go to the 'Authorized Access...' settings in your Google Account, you should not see the option to sign in because you've just signed in, afaik... – Sean M Dec 13 '11 at 17:18
  • guessing that you might have to expand scopes to include something else...what 'scopes' have you requested for?.. – sandeepkunkunuru Dec 13 '11 at 18:28
  • @SeanM: this is not to sign into Google, but to use Google Sign-In to authenticate on my site. – M Schenkel Dec 15 '11 at 14:00
  • @kunkunur: just Google Analytics; I was thinking along these lines too. But there does not seem to be a scope for "Sign in using your Google Account". – M Schenkel Dec 15 '11 at 14:00
  • 1
    Can you please clarify what you mean "Sign in using your Google account"? When Google redirects the user to your website with her info, she has signed in to your website using her account. What do you additionally expect? – Ali Shakiba Sep 08 '12 at 06:43

4 Answers4

1

If your site has access to something like your Contacts or Analytics using OAuth, you'll never see "Sign in using your Google account". I'm pretty sure that's only if you use OpenID (not OAuth) only for sign-in.

Specifically, OAuth is used for giving you access to APIs to create/update/delete data, while OpenID is for signing in.

Ryan Shillington
  • 23,006
  • 14
  • 93
  • 108
  • 1
    OAuth 2.0 is being used for sign on these days. See https://developers.google.com/accounts/docs/OAuth2Login – Steve Bazyl Jul 13 '12 at 00:08
  • 3
    Yes, OAuth is used for sign in, but the "Sign in using your Google account" text is only for OpenID. No amount of fiddling with OAuth will make that button appear in your Google Account. – Ryan Shillington Jul 25 '12 at 03:45
0

If you are asking how to identify user for future logins, you have two options:

  • Mix OAuth with OpenID, that is called Hybrid. I have described it on this answer.

  • Use userinfo scope and request userinfo (email, etc.) after successful OAuth authorization. It is described on Google OAuth 2 documentation.

If you mean automatically login to your web site in future visits you can use OpenID "immediate mode" (openid.mode parameter).

Community
  • 1
  • 1
Ali Shakiba
  • 20,549
  • 18
  • 61
  • 88
0

When the user is redirected back, you call the second request from your own (server-side?) code, and get their email address. When you successfully get it, that means that the user is logged on. You can add it to the session (e.g. as cookie), and as long as you have it, the user is logged on. You make the user log out by forgetting the email address, so by clearing the session/cookies.

Jeroen Kransen
  • 1,379
  • 3
  • 19
  • 45
0

Add this paramter to the https://accounts.google.com/o/oauth2/auth URL call: approval_prompt=force and then the Sign in using your Google account will always show regardless of whether the user was already signed into that or any other account.

So the call would be like this https://accounts.google.com/o/oauth2/auth?client_id=<client id>&redirect_uri=<uri>&scope=<scope>&access_type=<online or offline>&response_type=code&approval_prompt=force

Anand
  • 541
  • 3
  • 9