Google's focus:
- Oauth2
- framework -> no guarantee on interoperability
- core is frozen
- Openid Connect
- protocol
- based on Oauth2
- "Oauth2 for login"
Javascript-only flow:
- register for client id + select API's ("scopes")
- redirect to google.com in popup
- access token is returned
- 3600s timeout -> re-logon after that
- optionally use gapi library (apache license)
- redirect back to original page + use access token to access the google api's
Server side api:
- register to get "super-secret" clientid
- no popup needed
- redirect to google
- extra servers-side step: get code id.
- logon not limited in time (occasional serverside refresh for access token neede)
Mobile
- embedded browser: no sso -> re-logon
- call external browser: less user friendly / extra security measures needed
- Android specific: GoogleAuthUtil
other:
- AccountChooser framework (javascript-based)
No comments:
Post a Comment