Google Identity Toolkit

Google Apps Marketplace Integration

One of the key features of Apps Marketplace is the use of federated login with OpenID to avoid the need for Google Apps users to manually create new accounts at a vendor's website. GITkit provides tools to help improve the user experience using a technique called an "account chooser."

The main GITkit documentation describes how to do a basic integration with the GITkit widget and APIs to enable federated login and the account chooser. This page will explain how to further modify your website to support use cases specific to Marketplace apps.

Contents

  1. User identifiers
  2. No "Google Apps" button
  3. Realm support
  4. OAuth2 tokens
  5. Federated login from URL

User identifiers

GITKit simplifies the process of using OpenID by reducing the need for websites to worry about OpenID URLs as identifiers, and just look at the email address. Importantly GITKit will only provide you with the user's email address if your website should trust it. It automatically handles the extra security logic to avoid some potential security holes when the email assertion by an identity provider should not be trusted. The user's OpenID URL is still available if you need it for advanced integration, such as handling users renames or some advanced API integrations such as using gadgets. However as Google moves from OAuth1 to OAuth2 for API integration, it will further reduce the need to worry about OpenID URLs.

No "Google Apps" button

You may notice that the buttons to add an account do not include a Google Apps button. That is because of a major transition Google did to merge the idea of a Google Account and Google Apps account together. All Google Apps users will be able to add an account to the account chooser on your site by entering their email address, and with some minor exceptions they can also just click the Google mail button. If you really want a "Google Apps" button just change the configuration of your widget in the Developers Console and use the new JavaScript snippet that it generates. However we strongly suggest against adding it because of the user confusion created by having two Google buttons.

Realm support

Many Marketplace apps log users into a "realm", or a set of domains. If you have one configured in your Marketplace manifest, you need to enter this exact same realm in your Developers Console configuration. You can learn more about realm in the Apps Marketplace documentation.

OAuth2 tokens

Apps Marketplace initially only supported OAuth1, but Google is in the process of adding OAuth2 for Apps Marketplace. Once that support is formally launched, you will be able to use the Developers Console to specify the additional API scopes that your service needs.

Federated login from URL

One of the most popular features of Apps Marketplace is the ability to add a link to your website from the navigation bar of Google apps like Gmail and Calendar. In order to add such a link, you need to be able to start an OpenID flow from a URL, and do federated login with the user's Google Apps domain. That is, if a Google Apps customer is on the example.com domain, they should be able to log in to your site by visiting a URL like https://yoursite.com/login?domain=example.com. This URL must be registered in your Marketplace manifest.

To support this mode follow the instructions on redirecting to an IDP without using the popup widget.

Authentication required

You need to be signed in with Google+ to do that.

Signing you in...

Google Developers needs your permission to do that.