June 29, 2006

Google account authentication

Writing about web page http://code.google.com/apis/accounts/AuthForWebApps.html

Interesting to see that Google have released code which lets developers of web applications do one of two things with Google account data:–

  1. The ClientLogin API lets you incorporate programmatic login into your desktop or mobile applications. This API incorporates CAPTCHA for greater security against password trollers.

  2. The AuthSub API gives your web application the ability to access a user's Google services accounts without handling the user's login information. This API offers a secure mode, in which the web application can register with Google for greater security.

So if your web application wants (say) to publish an event to a user's Google calendar then it can do so with the request for the user's Google username and password well integrated into the flow of your application rather than being a separate process. Once the login is done, your application gets a session token (which never expires, interestingly; it has to be explciitly revoked) and can then perform other tasks without re–authenticating. Tokens are issued per service, and different Google services can define different sets of operations which are acceptable.

You can also register your web application with Google, at which point it becomes trusted and the login screen which Google presents to the user is a bit less paranoid about whether the user should trust the third party application. To register, you need a self–signed certificate:–

Prior to contacting Google, you will need to generate a public key. The public key must be a 1024–bit RSA key encoded in an X.509 certificate in PEM format. We suggest creating a self–signed certification rather than getting one from a central certificate authority.

I wonder whether this gets groups like ours any closer to being able to regard some services as being devolved to third–party providers such as Google, and simply to share data with those services rather than owning them.

- 4 comments by 2 or more people Not publicly viewable

  1. Google have already withdrawn the AuthSub for the web. I'm not surprised, it sounded fairly shockingly insecure in the insecure mode. Yet again Google rushes out a service and regrets it :)

    29 Jun 2006, 16:44

  2. …and it's back again…

    30 Jun 2006, 09:29

  3. Photo Editor

    it really back again? why I can't find it?

    25 Aug 2006, 02:45

  4. John Dale

    I don't know. The link at the top of this entry works for me.

    25 Aug 2006, 11:07

Add a comment

You are not allowed to comment on this entry as it has restricted commenting permissions.

Search this blog


Blog archive


Most recent comments

  • I'm looking for two authors/books from the 1970s or early 80s. The first was set in England. All I r… by Leo on this entry
  • I'm looking for two authors/books from the 1970s or early 80s. The first was set in England. All I r… by Leo on this entry
  • I am trying to find a book about a grandfather who tells his grandson that if he imagines hard enoug… by hilary woolf on this entry
  • Hi Looking for a series of books in which the main character was a knight. The knight was either a f… by Ely McKenna on this entry
  • I'm trying to track down my favourite children's book from the early 1970s (pub. 1970 – 1973?) about… by Ally Holloway on this entry
Not signed in
Sign in

Powered by BlogBuilder