Google account authentication
Writing about web page http://code.google.com/apis/accounts/AuthForWebApps.html
Interesting to see that Google have released code which lets developers of web applications do one of two things with Google account data:–
- The ClientLogin API lets you incorporate programmatic login into your desktop or mobile applications. This API incorporates CAPTCHA for greater security against password trollers.
- The AuthSub API gives your web application the ability to access a user's Google services accounts without handling the user's login information. This API offers a secure mode, in which the web application can register with Google for greater security.
So if your web application wants (say) to publish an event to a user's Google calendar then it can do so with the request for the user's Google username and password well integrated into the flow of your application rather than being a separate process. Once the login is done, your application gets a session token (which never expires, interestingly; it has to be explciitly revoked) and can then perform other tasks without re–authenticating. Tokens are issued per service, and different Google services can define different sets of operations which are acceptable.
You can also register your web application with Google, at which point it becomes trusted and the login screen which Google presents to the user is a bit less paranoid about whether the user should trust the third party application. To register, you need a self–signed certificate:–
Prior to contacting Google, you will need to generate a public key. The public key must be a 1024–bit RSA key encoded in an X.509 certificate in PEM format. We suggest creating a self–signed certification rather than getting one from a central certificate authority.
I wonder whether this gets groups like ours any closer to being able to regard some services as being devolved to third–party providers such as Google, and simply to share data with those services rather than owning them.