Google OpenID Connect for Authentication without using any Google APIs

477 views Asked by At

The OpenID Connect FAQ says that one of the primary use cases is that it lets "site developers authenticate users without taking on the responsibility of storing and managing passwords".

Google+ Sign-In is an implementation of OpenID Connect. My understanding is that you register an app with Google, and you select the Google APIs that you want that app to have access to.

Would it be a valid use of Google+ Sign-In to only use the service for authentication (for a browser-based app), without using any Google APIs?

If that is a valid application of the service / technology, where is a good description of what the web application needs to do to integrate that authentication function, and what impact that has on the design of the web application's HTTP API and subsequent implementation?

1

There are 1 answers

0
Hans Z. On BEST ANSWER

You can certainly use Google+ Sign-In for authentication without API access since that is what OpenID Connect allows you to do. Upon return from Google your webapp will receive an id_token that identifies the user and an access_token that you an use against Google's APIs. You can decide to just use the information in the id_token and drop the access_token.

The spec is probably the best place to read up on this: http://openid.net/specs/openid-connect-core-1_0.html

For a sample implementation as an authentication module for the Apache webserver, see https://github.com/pingidentity/mod_auth_openidc