Google Javascript client library used for sign in is built on the OpenID Connect protocol, which is straightforward. The library uses the implicit flow whereby tokens are passed in url hash. It is not a good option for server side authentication. It differs from a less complicated basic/server flow in which tokens are passed as url parameters. The server flow I describe in a separate post.
Google Sign-In for Websites documentation provides only examples where users sign in via a Google popup. I adapted their code so that another redirect, which is another consent flow option, is used. I also added a primitive backend code that process the ID token. In my sample web application saved to GitHub, the entire consent flow happens in one window without any popups because the initialization is launched with following parameters:
gapi.auth2.init({
client_id: clientId,
fetch_basic_profile: false,
scope: 'email',
ux_mode: 'redirect',
redirect_uri: 'http://localhost:8080/test/'
})
The application can be deployed to Tomcat or anywhere, but first a client id should be generated in google API console and copied to Constants class.
For the unauthenticated users the welcome page displays only the standard Google Sign-In button that meets the strict Google branding guidelines.
On clicking the button the browser is redirected to Google authentication page.
If the user has only one account in Google and he is already signed in, he is immediatly redirected by to the original page. Otherwise, the user has to select with what account to sign in and then upon authentication, the user is redirected back to the original page. To imitate a complete process of authentication, the page forwards the received from google ID token to the REST resource in the Java backend. The backend process the id, and sends back a JSON with the user's email. So for the authenticated users the only page displays their email received from the Java backend and a link for signing out.
Thanks. Nice post.
ReplyDelete