Implementing Google federated login using Hybrid Protocol (OpenID+OAuth)
June 3, 2010 5 Comments
How it works ?
Just a few days ago, I was badly in need to implement Google federated login using Hybrid Protocol (OpenID+OAuth). After searching a while I found myself that I was not keen to read. So read the Federated Login for Google Account Users again and found the solution.
To use Google service all you need
OAuth Consumer Key
OAuth Consumer Secret
How to get OAuth Consumer Key and OAuth Consumer Secret
Step 1 : First you need to add your domain name in google. To add your domain click
Step 2 : In Add a New Domain put your domain (sign in if you don’t) and you will get Manage your.domain.name below.
Step 3 : Click on Manage your.domain.name will get Verify ownership page. You will have
Site URL
Verification status
Verification method
Verification Status obviously Not Verified . To verified your domain with Google service you can choose Meta Tag, Upload an HTML file or Add a DNS record from select box. Choose whatever you want. Here we take Meta Tag. Something like
<meta name="google-site-verification" content="OTInrbJb1bsZ4JODXahOcdA2Ab16zZEcOURtss2Fnws" />
Add this meta tag in your site root file (i.e: index.php or index.html) on your site and then click verify button.
Step 4 : After verification it’s time to get the OAuth Consumer Secret. Now create your certificate authority first. The easiest way to create X.509 certificates on Linux is the openssl command. In your LINUX box got to terminal and paste the following code.
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -sha1 -subj ‘/C=US/ST=CA/L=Mountain View/CN=www.example.com’ -keyout myr
sakey.pem -out /tmp/myrsacert.pem
Now, you have your .pem file in /tmp/myrsacert.pem and upload and save it to your google account management.
You will see something like:
OAuth Consumer Key: your.domain.name
OAuth Consumer Secret: mx4KGNaNdcqHt+BDuJusaUvc
Step 5 : You are all most done! Just download the Source Code and run. You will need Zend Gdata library. If you don’t have you can download it form here.
“The demo illustrates the simplicity of a combined user interface doing double duty: view a page requesting sign-on approval and access to your Google Docs and Spreadsheets services, click “Continue Sign-in”, and voila: you’re logged into the site and viewing a list of all your Google docs. All the authentication/authorization is happening behind the scenes, while the cost to the user is one page view and one click.”
See a DEMO of OpenID+OAuth in action
References:
Google API
OpenID Federated Login Service for Google Apps
Federated Login for Google Account Users
Generating keys using OpenSSL
google log in pop-up
About Tanveer
Just downloaded all the source files and will play with getting them working tonight in a way that will integrate with my site. Thanks for posting this code and these instructions.
I heard that Google was working on an OAuth method of authenticating for Gmail so you wouldn’t have to ask users for their ID/Password to access their Gmail accounts with IMAP. Have you done any experimenting with that?
Hello Greg,
Thanks for your comment.
I guess, you were asking for identifying your application to users. Google normally displays the name of an application when requesting access consent from the user (see example). For more information please visit Authentication and Authorization for Google APIs
Best,
Tanveer
Hey, in this step:
“Now, you have your .pem file in /tmp/myrsacert.pem and upload and save it to your google account management.”
I don’t know where i can do this, can you help me? :{
Thanks a lot for the tutorial, they help me so much.
Hi Victor,
Thanks for your comment.
If your using Linux box then go to your Terminal/Konsole and just paste the “sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -sha1 -subj ‘/C=US/ST=CA/L=Mountain View/CN=www.example.com’ -keyout myrsakey.pem -out /tmp/myrsacert.pem” and you will fine your .pem file in the /tmp directory.
Pingback: 2010 in review « Tanveer's Weblog