The newest version of Google Identity Toolkit has been released as Firebase Authentication. It includes upgraded client SDKs, open source UI libraries, session management and integrated email sending service for forgotten password flows.

New projects should use Firebase Authentication. To migrate an existing project from Identity Toolkit to Firebase Authentication, see the migration guide.

Quick-start App for PHP

This quick-start lets you get started with Google Identity Toolkit on PHP in about 30 minutes.

Before beginning you will need the following:

  • A PHP environment and server. (PHP 5.4 and later includes a built-in web server. This is pre-installed on recent OS X machines)

Step 1: Configure the Google Identity Toolkit API

This quickstart guide will set up a basic website that will allow username/password, Google, Yahoo, and (optionally) Facebook login.

  1. Go to the Google API Console API Library.
  2. From the project drop-down, select an existing project, or create a new one. The API Console groups your information by “project” which bundles associated websites, Android apps, and iOS apps. For the Identity Toolkit API, any websites or apps in the same project will share the same user database.
  3. Enable the Identity Toolkit API service:
    1. In the list of Google APIs, search for the Identity Toolkit API service.
    2. Select Identity Toolkit API from the results list.
    3. Select Enable API.
    When the process completes, Identity Toolkit API appears in the list of enabled APIs. To view the list, select APIs & Services on the left sidebar menu, then select the Enabled APIs tab.
  4. Next, you need to set up the screen Google will show the user when you request the user's email address. In the left-side menu under "APIs & Services", select Credentials, then select the OAuth consent screen tab.
    1. Choose an Email Address, enter your website/app's name as the Product Name, and select Save.
    Once saved, you end up on the Credentials tab.
  5. Next, set up your OAuth2 client ID for registering as an app that accepts Google for sign-in.
    1. In the Credentials tab, select the Create credentials drop-down, then select OAuth client ID.
    2. Under Application type, select Web application. A web server is currently required to enable full functionality, even for mobile-only applications, because some identity providers do not have native SDKs.
    3. Enter a client ID Name, then enter the Restrictions as decribed below:
      • Authorized JavaScript Origins
        For this quick-start app, set this to: http://localhost:8000
        This is the URL of your site. For example, if your site is https://yoursite.com, enter that in the box. (Note that you may add multiple entries if your site can be accessed at multiple URLs.)
      • Authorized redirect URIs
        For this quick-start app, set this to: http://localhost:8000/gitkit
        When you send your users to authenticate with an identity provider like Google or Yahoo, the identity provider needs a page to return to when authentication is complete. Typically this is called an Authorized Redirect or a Callback. With Identity Toolkit this will also be where your sign-in page is displayed. You may use whichever URL you would like. (Usually https://yoursite.com/callback is fine unless you prefer something else)
    4. Once you've completed these fields, select Create.
  6. Now, create a service account.
    1. Select the Create credentials drop-down again (you should still be on the Credentials tab), then select Service account key.
    2. From the Service account drop-down, select an existing service account or create a new one.
    3. For Key type, select the P12 key option, then select Create. The file automatically downloads to your computer.
    4. In the resulting pop-up window, make note of the private key's password, then select Close. Put the *.p12 file you just downloaded in a directory of your choosing. This directory must be private (you can't let anyone get access to this), but accessible to your web server code.
  7. Next, create a Browser API key so that your app can access Google APIs.
    1. Select the Create credentials drop-down, then select API key.
    2. From the "Create a new key" pop-up, select Browser key, and optionally set your site's URL as the allowed referrer.
    3. Select Create.
  8. You're almost there! You just need to decide which sign-in options to support.
    1. On the left-side menu, return to the APIs list by selecting APIs & Services.
    2. Select the Enabled APIs tab.
    3. From the list of enabled APIs, find the Identity Toolkit API, then select the gear icon to the right of the name. This action opens your sign-in page configuration.
      • In the URL Configuration section of the screen, declare your URLs:
        • Widget URL
          From the drop-down, select a URL. This is the URL you entered earlier in the Client ID for Web application, under "Authorized Redirect URIs". This is the URL where your sign in page will appear, and it is also the URL you need to register with identity providers as your "Redirect URI".
          For this quick-start app, set this to: /gitkit
        • Sign-in Success URL
          This is where users are sent after they successfully sign in. This URL will need to validate the Identity Toolkit API token and then begin an authenticated session however you see fit. Many web application frameworks will generate a session cookie for you.
          For this quick-start app, set this to: /
        • Sign-out URL
          If you choose to use the User Card Widget, when the user clicks the sign out button, they are redirected to this URL.
          For this quick-start app, set this to: /
        • Send Email URL
          Sometimes it may be necessary to contact the user to confirm a password reset or email change. Because of email source verification in use by many email providers, these emails must originate from your server in order to avoid being marked as spam or suspicious. Identity Toolkit API will send a POST request to this URL with email address and the content of the message, and you will need to send the email.
          For this quick-start app, set this to: /
    4. In the Providers section, choose which identity providers that you want to support. Some identity providers require registration. Select the provider name or down arrow to view provider options/requirements.
    5. (Optional) Configure Facebook login
      1. Go to the Facebook developer page register or log in, then select My Apps->Add a New App
      2. Choose the "Website" platform
      3. At the "Setup SDK" part of the quickstart, enter your Site URL. For this demo, that will be http://localhost:8000/gitkit. Click next. You do not need to use their code snippet.
      4. Once the app is set up:
        • Go to the Dashboard for your app and enter the Facebook App ID as the Client ID.
        • In the API Console Identity Toolkit API configuration page, enable Facebook as a provider and enter the Facebook App ID and App Secret.
    6. (Optional) Configure Twitter login
      1. Go to the Twitter Application Management page and create a new app.
      2. Under "Callback URL" you will have to write the URL to where you will be hosting Identity Toolkit. For this demo that will be http://127.0.0.1:8000/gitkit
      3. Once the app is created:
        • From your app dashboard go to "Keys and Access Tokens" and copy the Consumer key and Consumer secret.
        • Then, in the In the API Console Identity Toolkit API configuration page, enable Twitter as a provider and paste in your Consumer Key and Secret.
    7. Make sure to save your settings!
    8. There are two code snippets at the bottom of the page. The first snippet helps make the JavaScript configuration easy for your website. The second snippet should be saved in your server side code directory as gitkit-server-config.json.
    9. The server side configuration file needs to be further configured before use. Open the file for editing and change serviceAccountPrivateKeyFile setting to be equal to the path of the *.p12 or *.json file you downloaded earlier. You should use the full path, beginning with / and ending with the full name of the *.p12 or *.json file.

    Step 2: Set up the quick-start

    1. Download the Google Identity Toolkit PHP quick-start from GitHub and unzip it. You can also find the source code for this quick-start or the client library on Github.

    2. Move the server-side configuration file gitkit-server-config.json that you created at the end of Step 1 into this folder

    3. Install the PHP dependency management tool Composer, and the dependent libraries used by this quick-start. For Windows, installation instructions are on the Composer website (use the composer.json requirements file we included in the quickstart folder). For Linux/Mac, simply run the following commands:

      cd identity-toolkit-php-master
      curl -s https://getcomposer.org/installer | php
      php composer.phar install
      php -S localhost:8000 routing.php
      
    4. Under the hood, Composer installs Google Identity Toolkit PHP helper functions and Google API PHP client library.

    Step 3: Build a basic website

    1. Create the file index.php with the following contents:

      <!DOCTYPE html>
      <html>
      <head>
      </head>
      <body>
      <p>
        You are not logged in yet.
      </p>
      </body>
      </html>
      
    2. Visit http://localhost:8000 and the web page should display "You are not logged in yet."

    3. Now we add the sign in button widget to index.php

      <!DOCTYPE html>
      <html>
      <head>
      
      <!-- 1: Configure the sign-in button -->
      
      <script type="text/javascript" src="//www.gstatic.com/authtoolkit/js/gitkit.js"></script>
      <link type=text/css rel=stylesheet href="//www.gstatic.com/authtoolkit/css/gitkit.css" />
      <script type=text/javascript>
        window.google.identitytoolkit.signInButton(
          '#navbar', // accepts any CSS selector
          {
            widgetUrl: "/gitkit",
            signOutUrl: "/",
          }
        );
      </script>
      
      <!-- End modification 1 -->
      
      </head>
      <body>
      
      <!-- 2: Include the sign in button widget with the matching 'navbar' id -->
      <div id="navbar"></div>
      <!-- End modification 2 -->
      
      <p>
        You are not logged in yet.
      </p>
      </body>
      </html>
      
    4. Go to http://localhost:8000/index, a 'Sign In' button should be displayed on the page, but clicking it will lead to a 404 NotFound for the widget url localhost/gitkit. We will now add that page.

    5. Create a file gitkit.php with the following contents:

      <!DOCTYPE html>
      <html>
      <head>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      
      <!-- Copy and paste here the client configuration from Developer Console into the config variable -->
      <script type="text/javascript" src="//www.gstatic.com/authtoolkit/js/gitkit.js"></script>
      <link type="text/css" rel="stylesheet" href="//www.gstatic.com/authtoolkit/css/gitkit.css" />
      <script type="text/javascript">
        var config =
          // Copy and paste client configuration here
        ;
        // The HTTP POST body should be escaped by the server to prevent XSS
        window.google.identitytoolkit.start(
            '#gitkitWidgetDiv', // accepts any CSS selector
            config,
            JSON.parse('<?php echo json_encode(file_get_contents("php://input")); ?>')
        );
      </script>
      <!-- End modification -->
      
      </head>
      <body>
      
      <!-- Include the sign in page widget with the matching 'gitkitWidgetDiv' id -->
      <div id="gitkitWidgetDiv"></div>
      <!-- End identity toolkit widget -->
      
      </body>
      </html>
      
    6. Go to http://localhost:8000/index, click the Sign In button, and you are redirected to /gitkit for sign-in. The Sign In button changed to be logged in state, but the welcome text does not. Our server does not recognize the logged user yet. To recognized the logged in user, make the following 2 modifications to index.php:

      <!DOCTYPE html>
      <html>
      <head>
      
      <!-- 1: Load the Google Identity Toolkit helpers -->
      <?php
        set_include_path(get_include_path() . PATH_SEPARATOR . __DIR__ .'/vendor/google/apiclient/src');
        require_once __DIR__ . '/vendor/autoload.php';
      
        $gitkitClient = Gitkit_Client::createFromFile(dirname(__FILE__) . '/gitkit-server-config.json');
        $gitkitUser = $gitkitClient->getUserInRequest();
      ?>
      <!-- End modification 1 -->
      
      <script type="text/javascript" src="//www.gstatic.com/authtoolkit/js/gitkit.js"></script>
      <link type=text/css rel=stylesheet href="//www.gstatic.com/authtoolkit/css/gitkit.css" />
      
      <script type=text/javascript>
        window.google.identitytoolkit.signInButton(
          '#navbar',
          {
            widgetUrl: "/gitkit",
            signOutUrl: "/index"
          }
        );
      </script>
      </head>
      <body>
      <div id="navbar"></div>
      
      <!-- 2: Print the user information if a signed in user is present -->
      <p>
        <?php if ($gitkitUser) { ?>
          Welcome back!<br><br>
          Email: <?= $gitkitUser->getEmail() ?><br>
          Id: <?= $gitkitUser->getUserId() ?><br>
          Name: <?= $gitkitUser->getDisplayName() ?><br>
          Identity provider: <?= $gitkitUser->getProviderId() ?><br>
        <?php } else { ?>
          You are not logged in yet.
        <?php } ?>
      </p>
      <!-- End modification 2 -->
      
      </body>
      </html>
      
    7. Now our server fully supports both password login and federated login!

    Next steps