Jeff Morgan
What are OpenID and OAuthAuthentication and authorization are commonly grouped together in the same conversation.
OpenID and
OAuth again are grouped together as they represent authentication and authorization respectively. While both
OpenID and
OAuth have been available as options to Google developers for a while, they now take on more significance with the introduction of Google Apps Marketplace. In fact, it is a requirement to use these two standards when integrating a web application with the Google Apps Marketplace.
OpenIDOpenID is an emerging standard that provides authentication between a provider and a relying party (typically a web application.) In the context of Google Apps it allows a web application to use Google as the authentication provider. This federated authentication approach is commonly used to provide Single Sign-On (
SSO) to another web application. The beautiful part of
SSO is once a user has authenticated in their Google Apps domain access to any third-party Marketplace application in their domain is transparent.
OAuthThere are two flavors of
OAuth, two-legged and three-legged
OAuth. While both are available for use by many
Google Data
APIs there are important differences that must be understood in order to know the best time to use each. Two-legged
OAuth authorizes domain wide access to Google Apps domain user data at an administrator level. Three-legged
OAuth authorizes access to only one user’s data by that user. In general, if you understand these main differences then making the decision to which
OAuth option to use becomes easier. The Google Apps Marketplace supports two-legged
OAuth since it makes sense to authorize access at the domain level by the administrator. Marketplace applications are available to all Google Apps domain users, no need for each user to grant authorization.
OpenID+OAuthBringing them both together is now also supported by Google. Sometimes referred to as the
Hybrid Protocol,
OpenID has been extended to support
OAuth. While this may be useful in certain situations, this approach is now less relevant in the Google Apps Marketplace. The Marketplace manifest configuration file supports two-legged
OAuth making the need to obtain an
OAuth token during the
OpenID process unnecessary. It is also important to understand this distinction when writing Marketplace applications because
OpenID and
OAuth are often grouped together, not just because of the hybrid option but because they by themselves play an important role in developing application on the Google Apps platform.
Learn MoreGoogle IO SessionOpenID-based single sign on and OAuth data access for Google AppsResource LinksImplementing OAuth with Federated Login
OAuth Support in Google's Federated Login API