The newest version of Google Identity Toolkit has been released as Firebase Authentication. It includes upgraded client SDKs, open source UI libraries, session management and integrated email sending service for forgotten password flows.

New projects should use Firebase Authentication. To migrate an existing project from Identity Toolkit to Firebase Authentication, see the migration guide.

Use Identity Toolkit in your iOS app

We know developers need to engage their users across all platforms, so Google Identity Toolkit runs natively on iOS. Our iOS SDK provides an easy to use identity solution for all developers.

Add to existing app

Ready to get started? Our iOS Quickstart is the easiest way to try it out.

Otherwise, follow these instructions to add Google Identity Toolkit to your own application.

  1. Identity Toolkit uses CocoaPods to install and manage dependencies. Open a terminal window and navigate to the location of the Xcode project for your application. If you have not already created a Podfile for your application, create one now:

    pod init
    

    Open the Podfile created for your application and add the following:

    pod 'GoogleIdentityToolkit'
    

    Save the file and run:

    pod install
    

    This creates an .xcworkspace file for your application. Use this file for all future development on your application.

  2. Configure the Identity Toolkit API as outlined in Step 2 of the quickstart.

  3. Configure the GITClient and GIDSignIn variables in your app delegate.

      GITClient *gitkitClient = [GITClient sharedInstance];
      gitkitClient.apiKey = GITKIT_API_KEY;
      gitkitClient.widgetURL = GITKIT_WIDGET_URL;
      gitkitClient.providers = @[ kGITProviderGoogle ];
      [GIDSignIn sharedInstance].clientID = GOOGLE_CLIENT_ID;
    

    About the configuration values

    • gitkitClient.apiKey is the Key for iOS applications in the Public API access section of the credentials page.
    • gitkitClient.widgetURL is your web server Identity Toolkit widget URL. If you don't yet have a web server, just use @"http://localhost?placeholder" as a placeholder.
    • gitkitClient.providers is a list of providers that should match what you configured in the Identity Toolkit page.
    • [GIDSignIn sharedInstance].clientID is the Client ID for iOS applications under the OAuth section of the credentials page.

  4. Configure the .plist

    • In your .plist file, find the array key called URL types
    • Ensure there is the URL identifier "google" with the URL scheme that matches your bundle ID.
    • Ensure there is the URL identifier "gitkit". Change the scheme such that the string following the last period is the first section of your Client ID for Web application under the OAuth section under credentials. For example, if your client ID is 83782575413-qvsq4c2o2mmcj9k6eqjd3e1p3m8eqk2v.apps.googleusercontent.com, the scheme should be com.googleusercontent.apps.83782575413-qvsq4c2o2mmcj9k6eqjd3e1p3m8eqk2v.

    Alternatively, you can use the project configuration page. Double click on you project file and edit the URL Types under the Info tab per the instructions above so that it looks like this:

Adding Identity Providers

Once you have Sign in with Google and password accounts working, you will likely want to offer other sign in options for your users.

Facebook

  1. Follow steps 1-4 of the Facebook getting started instructions.
  2. In step 4 of the Facebook getting started instructions, you added a URL scheme under URL types in your .plist file. Under this same item, also add the identifier and set it to "facebook".
  3. Copy your Facebook App ID into the Client ID field and the Facebook App Secret into the Secrety Key field in the Identity Toolkit configuration page. Be sure to click "save" when you are done.
  4. Enable the Facebook sign in by modifying your GKDAppDelegate.m file such that the assignment to gitkitClient.providers now looks like

      gitkitClient.providers = @[ kGITProviderGoogle, kGITProviderFacebook ];
    

Yahoo

  1. Add kGITProviderYahoo to gitkitClient.providers in your app delegate.
  2. Set the roll-out percentage in the settings console as appropriate. Be sure to click "save" when you are done.

Microsoft

  1. Follow these instructions to enable your Microsoft app. You should register as a website using your widget_url.
  2. Once you have registered you app, copy the Client ID and Secret Key to the Identity Toolkit configuration page.
  3. Add kGITProviderMicrosoft to gitkitClient.providers in your app delegate.
  4. Set the roll-out percentage in the settings console as appropriate. Be sure to click "save" when you are done.

AOL

  1. Add kGITProviderAOL to gitkitClient.providers in your app delegate.
  2. Set the roll-out percentage in the settings console as appropriate. Be sure to click "save" when you are done.

Paypal

  1. Follow these instructions to enable your Paypal app. You should register as a website using your widget_url.
  2. Once you have registered you app, copy the Client ID and Secret Key to the Identity Toolkit configuration page.
  3. Add kGITProviderPaypal to gitkitClient.providers in your app delegate. Be sure to click "save" when you are done.

UI Customization

You can override the user interface by implementing your own GITInterfaceManagerDelegate. The delegate allows you to replace any of the five Identity Toolkit screens. For any screen you do not override, the default will be used.

For an example of how to implement the custom interface, see the GKDCustom clases in our quickstart.

Start Sign-in

When the signInWithControllerAccount method is called, you should allow the user to choose how they will sign in.

First, if the account is not nil, you should give your users the option to use this previous account. If the user elects to use this existing account, you should call the GITAuth signInWithEmail method.

If the user does not have an existing account or elects to use a new one, you should show buttons for various Identity Providers and/or a text field to enter an email address. For users that select an Identity Provider button, you call the GITAuth signInWithProviderID method. For users that enter an email address, you call the GITAuth signInWithEmail method.

Show Password Sign-in

The legacySignInControllerWithEmail method is called if the user entered an email on the startSignIn screen and a password account for that email already exists. You must provide some way for the user to enter their password, then call the GITAuth verifyPassword method.

If the user has had repeated failed attempts at signing in, they may be prompted to complete a reCAPTCHA challenge before moving forward.

Show Password Sign Up

The legacySignUpControllerWithEmail method is called if the user entered an email on the startSignIn screen and no account for that email already exists. You must provide some way for the user to enter the password they would like to configure for their account, then call the GITAuth signUpWithEmail method.

If the same device tries to create several accounts within a short time-frame, we may show the user a reCAPTCHA challenge to prevent abuse.

Show Password Account Linking

The accountLinkingControllerWithUnverifiedProvider is called when the user had previously created a password account and has now elected to sign in with an Identity Provider. You must provide some way for the user to enter their old password to verify ownership of this account, then call the GITAuth linkAccountWithPassword method.

Note that email providers are considered “trusted” Identity Providers and will not require password confirmation. For example, if user@yahoo.com had previously signed up with a password, and then signed in with Yahoo, then they will not need password confirmation.

Show IDP Account Linking

The accountLinkingControllerWithUnverifiedProvider:verifiedProvider: method is called with the verifiedProvider arg is called if the user successfully completed federated login, but an account with that email was already created using a different Identity Provider. You should allow the user to confirm this action, then call the GITAuth linkAccountToProviderID method. This action will prompt the user to authenticate using their previous Identity Provider.

Note that email providers are considered “trusted” Identity Providers and will not need this extra screen before linking accounts. For example, if user@yahoo.com had previously signed in with Facebook, then later signed in with Yahoo, Yahoo would be a trusted provider and the accounts would link without confirmation. However, if they signed in with Yahoo first and then Facebook, then this method will be called.