The OpenID Connect FAQ says that one of the primary use cases is that it lets "site developers authenticate users without taking on the responsibility of storing and managing passwords".
Google+ Sign-In is an implementation of OpenID Connect. My understanding is that you register an app with Google, and you select the Google APIs that you want that app to have access to.
Would it be a valid use of Google+ Sign-In to only use the service for authentication (for a browser-based app), without using any Google APIs?
If that is a valid application of the service / technology, where is a good description of what the web application needs to do to integrate that authentication function, and what impact that has on the design of the web application's HTTP API and subsequent implementation?
You can certainly use Google+ Sign-In for authentication without API access since that is what OpenID Connect allows you to do. Upon return from Google your webapp will receive an
id_token
that identifies the user and anaccess_token
that you an use against Google's APIs. You can decide to just use the information in theid_token
and drop theaccess_token
.The spec is probably the best place to read up on this: http://openid.net/specs/openid-connect-core-1_0.html
For a sample implementation as an authentication module for the Apache webserver, see https://github.com/pingidentity/mod_auth_openidc